beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 172

background image

154

Multi-Service IronWare Security Configuration Guide

53-1003035-02

ACL deny logging

3

On Brocade NetIron CES and Brocade NetIron CER devices, ACL Deny Logging takes
precedence over ACL Accounting. If the ip access-group enable-deny-logging command is
configured on the interface, and both keywords (enable-accounting and log) are present in the
same ACL clause, the statistics for that specific ACL clause are not collected. Both keywords
will appear in the output of the show access-list accounting command indicating that logging is
enabled, and the statistics for that specific ACL clause are not available. In the example output
below, the deny enable-accounting and log keywords are applied to ip host 10.1.2.104/16.

0: deny enable-accounting ip host 10.1.2.104 10.19.0.0 10.0.255.255 log

Hit count: Accounting is not available due to deny logging

ACL Deny Logging is a CPU-based feature. Consequently, to maintain maximum performance
we recommend that you selectively enable the logging option only on the deny filters where you
are interested in seeing the logs.

ACL Deny Logging generates Syslog entries only. No SNMP traps are issued.

The ACL Deny Logging feature is supported for inbound ACLs only.

You can configure the maximum number of ACL session entries using the system-max
session-limit command as described in the Brocade MLXe and NetIron Family Configuration
Guide. Only the 2/3rd of the number of sessions specified using system-max session-limit
command are available for ACL or uRPF logging.

ACL logging is applicable only for traffic matching ACL deny clauses on user interfaces,
however, it is applicable for traffic matching ACL permit clauses on the management interface.
In the example output displayed below, the deny and logging keywords are enabled for the
extended IP access list, mlx-sample-acl-log-redirect-mirror-001. In the second example output,
the show run interface command configuration displays logging and redirect options enabled,
and the ACL applied to the inbound ports.

In the output example above, filters 0 and 1 describe the following.

Extended IP access list mlx-sample-acl-log-redirect-mirror-001

0: deny udp any 10.11.0.0 10.0.0.127 log

1: deny ip host 10.102.102.21 any dscp-mapping 3 non-fragment

2: deny tcp host 10.102.102.23 eq 10023 any eq 10024 dscp-mapping 3

non-fragment

3: permit udp 10.102.102.128 10.0.0.127 any mirror

4: permit ip any any

Brocade(config-if-e100000-3/1)#show run interface ethernet 3/1

interface ethernet 3/1

enable

rate-limit input 49999998416 7500000000

ip address 10.103.31.254/8

ip address 10.102.102.254/24

ip address 10.103.31.254/16

ip address 10.103.31.254/24

ip directed-broadcast

ip access-group enable-deny-logging

ip access-group redirect-deny-to-interf 1/8

ip access-group mlx-sample-acl-log-redirect-mirror-001 in

ip access-group 102 out

ipv6 address 2001:DB8::1/64

ipv6 traffic-filter t3-mirror-redirect2 in

acl-mirror-port ethernet 1/7

!

See also other documents in the category Brocade Computer Accessories: