beautypg.com

Displaying acl log entries, Enabling strict, Control of acl filtering of fragmented packets – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 128

background image

The above commands create ACL entries that include the log option, then bind the ACL to interface e
9/12. Statistics for packets that match the deny statement will be logged.

Syntax: logging-enable

NOTE
The logging-enabled command applies to IPv6 devices only. For IPv4 devices, use the ACL-logging
command as shown in the previous example.

Displaying ACL Log Entries

The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry, the
software generates a Syslog message and an SNMP trap. Messages for packets permitted or denied
by ACLs are at the warning level of the Syslog.

When the first Syslog entry for a packet permitted or denied by an ACL is generated, the software
starts an ACL timer. After this, the software sends Syslog messages every five minutes. If an ACL
entry does not permit or deny any packets during the timer interval, the software does not generate a
Syslog entry for that ACL entry.

NOTE
For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be enabled
for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging
enabled.

To display Syslog entries, enter the show log command from any CLI prompt:

device#show log

Syslog logging: enabled (0 messages dropped, 2 flushes, 0 overruns)

Buffer logging: level ACDMEINW, 9 messages logged

level code: A=alert C=critical D=debugging M=emergency E=error

I=informational N=notification W=warning

Dynamic Log Buffer (50 lines):

0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.6(0)(Ethernet 4

0000.0004.01) -> 10.20.18.6(0), 1 event(s)

0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.2(0)(Ethernet 4

0000.0004.01) -> 10.20.18.2(0), 1 event(s)

0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.4(0)(Ethernet 4

0000.0004.01) -> 10.20.18.4(0), 1 event(s)

0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.3(0)(Ethernet 4

0000.0004.01) -> 10.20.18.3(0), 1 event(s)

0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.5(0)(Ethernet 4

0000.0004.01) -> 10.20.18.5(0), 1 event(s)

0d00h12m18s:I:ACL: 122 applied to port 4 by from console session

0d00h10m12s:I:ACL: 122 removed from port 4 by from console session

0d00h09m56s:I:ACL: 122 removed from port 4 by from console session

0d00h09m38s:I:ACL: 122 removed from port 4 by from console session

Syntax: show log

Enabling strict control of ACL filtering of fragmented packets

The default processing of fragments by hardware-based ACLs is as follows:

• The first fragment of a packet is permitted or denied using the ACLs. The first fragment is handled

the same way as non-fragmented packets, since the first fragment contains the Layer 4 source and
destination application port numbers. The device uses the Layer 4 CAM entry if one is programmed,

Displaying ACL Log Entries

128

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: