beautypg.com

Matching on tcp header flags for ipv4 acls, Acl deny logging – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 171

background image

Multi-Service IronWare Security Configuration Guide

153

53-1003035-02

Matching on TCP header flags for IPv4 ACLs

3

Matching on TCP header flags for IPv4 ACLs

In this release, you can match packets for one additional TCP header flag using IPv4 ACLs. The
following command implements the additional TCP parameter for IPv4 ACLs.

Syntax: [no] access-list num permit | deny tcp any any syn

The num parameter indicates the ACL number and must be from 1 - 99 for a standard ACL or from
100 - 199 for and extended ACL.

The tcp parameter indicates that you are filtering the TCP header.

The syn parameter directs the ACL to permit or deny based upon the status of the syn flag in the
TCP header. If the contents of the flag is “1” the condition is met.

ACL deny logging

The ACL Deny Logging feature records traffic flows that are denied by an ACL bound to a port. When
a packet is denied by an ACL, a Syslog entry is generated and a timer is started to keep track of the
packets from this packet flow. After the timer expires (default: 5 minutes), another Syslog entry is
generated if there is any packet from the tracked packet flow that was denied.

ACL Deny Logging is supported for the following:

IPv4 Inbound ACLs

IP Receive ACLs

ACL Deny Logging is not supported for the following:

ACL-based Rate Limiting

Policy Based Routing

IPv6 ACLs

Configuration notes

Carefully consider each of the following statements before configuring the ACL Deny Logging
feature on your device:

The ACL deny logging feature may be enabled with the ip access-group redirect-deny-to-interf
command. However, if the ip access-group enable-deny-logging command and the ip
access-group redirect-deny-to-interf command are configured on the same interface, a syslog
entry is created for packets matching the deny action filter containing the log keyword, and the
packet is dropped. Packets matching a log enabled filter are not redirected to the specified
interface.The ip access-group redirect-deny-to-interf command applies only to inbound ACLs.

The ip access-group redirect-deny-to-interf command cannot be applied on VPLS, VLL, or
VLL-local endpoints and vice versa. Please refer to

“Configuration considerations for IPv4

outbound ACLs on VPLS, VLL, and VLL-Local endpoints”

.

NOTE

Redirect-deny packets do not apply to outbound traffic.

See also other documents in the category Brocade Computer Accessories: