beautypg.com

Configuring acl deny logging for ipv4 acls – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 173

background image

Multi-Service IronWare Security Configuration Guide

155

53-1003035-02

ACL deny logging

3

Configuring ACL deny logging for IPv4 ACLs

Configuring ACL Deny Logging for IPv4 ACLs requires the following:

Enabling the Log Option

Enabling ACL Deny Logging on a Interface

Enabling the log option
ACL Logging requires that you add the log option to an ACL statement as shown.

Brocade(config)#access-list 101 deny ip any any log

The log option enables logging for the ACL being defined.

The ACL or RPF logging mechanism on the Interface modules log a maximum of 256 messages per
minute, and send these messages to the Management module. A rate-limiting mechanism has
been added to rate-limit the number of log messages from the Interface module CPU to the
Management module CPU to 5 messages per second. Because this delays the delivery of
messages to the Management module, in the worst case scenario with all 256 packets arriving at
the same time on the Interface module, the time values stamped by the Management module on
the messages will vary by as much as 60 seconds.

Enabling ACL deny logging on an interface
The ip access-group enable-deny-logging command must be configured as shown on each
interface that you want ACL Deny Logging to function.

Brocade(config)# interface ethernet 5/1

Brocade(config-if-e1000-5/1)# ip access-group enable-deny-logging

Syntax: [no] ip access-group enable-deny-logging [hw-drop]

NOTE

The ip access-group enable-deny-logging command cannot be applied on VPLS, VLL, or VLL-local
endpoints and vice versa. When configuring the ip access-group enable-deny-logging command on
VPLS, VLL, and VLL-Local endpoints, please refer to

“Configuration considerations for IPv4 outbound

ACLs on VPLS, VLL, and VLL-Local endpoints”

.

NOTE

The command ip access-gr enable-deny-logging is not be required to turn on logging on
management port. The management port supports logging for both permit and deny filters.

The hw-drop option specifies that ACL Log packets be dropped in hardware. This is implemented to
reduce the CPU load. In practice this means that the packet counts for denied traffic will only
account for the first packet in each time cycle. The no ip access-group enable-deny-logging hw-drop
command only removes the hw-drop keyword.

filter 0: enable-deny-logging is enabled, the keyword log will create an entry

in the syslog file, no redirection occurs.

filter 1: redirect-deny-to-interf is enabled, filter does not contain keyword

log, so matching packets will forwarded out interface e 1/8, no log entry is

created, and statistics are collected.

See also other documents in the category Brocade Computer Accessories: