beautypg.com

Configuring acl deny logging for ip receive acls, Configuring the log timer, Support for acl cam sharing – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 174

background image

156

Multi-Service IronWare Security Configuration Guide

53-1003035-02

ACL deny logging

3

NOTE

Using this command, ACL logging can be enabled and disabled dynamically and does not require
you to rebind the ACLs using the ip rebind-acl command

Configuring ACL Deny Logging for IP receive ACLs

Since ACL Logging for IP Receive ACLs applies to all CPU bound traffic it is only required that you
configure the following command globally as shown.

Brocade(config)#ip receive access-list enable-deny-logging

Syntax: [no] ip receive access-list enable-deny-logging [hw-drop]

The hw-drop option specifies that IP Receive ACL Log packets be dropped in hardware. This is
implemented to reduce the CPU load. In practice this means that the packet counts for denied
traffic will only account for the first packet in each time cycle. The no ip receive access-list
enable-deny-logging hw-drop command only removes the hw-drop keyword.

NOTE

Using this command, ACL logging can be enabled and disabled dynamically and does not require
you to rebind the ACLs using the ip rebind-receive-acl command.

Configuring the log timer

You can specify how long the system waits before it sends a message in the Syslog by entering a
command such as the following.

Brocade(config)# ip access-list logging-age 2

Syntax: ip access-list logging-age minutes

Enter 1 – 10 minutes. The default is 5 minutes.

Support for ACL CAM sharing

For ports sharing a PPCR to which the same ACLs are bound, ACL CAM sharing only applies if all or
none of the ports have ACL Deny Logging configured.

In the following example, ports 4/1 and 4/2 in same packet processor (PPCR) are bound with
inbound ACL 101 but only port 4/2 has the ip access-group enable-deny-logging command
configured.

Brocade(config)# enable-acl-cam-sharing

Brocade(config)# interface ethernet 4/1

Brocade(config-if-e1000-4/1)# ip access group 101 in

Brocade(config)# interface ethernet 4/2

Brocade(config-if-e1000-4/2)# ip access group 101 in

Brocade(config-if-e1000-4/2)# ip access-group enable-deny-logging

Because they do not have the same ACL Deny Logging configuration, a separate set of ACL CAM
entries are programmed for ports 4/1 and 4/2.

See also other documents in the category Brocade Computer Accessories: