beautypg.com

Enabling acl logging – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 951

background image

Brocade TurboIron 24X Series Configuration Guide

917

53-1003053-01

Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN

Applying an ACL to a virtual interface in a protocol-
or subnet-based VLAN

By default, when you apply an ACL to a virtual interface in a protocol-based or subnet-based VLAN,
the ACL takes effect on all protocol or subnet VLANs to which the untagged port belongs. To
prevent the device from denying packets on other virtual interfaces that do not have an ACL
applied, configure an ACL that permits packets in the IP subnet of the virtual interface in all
protocol-based or subnet-based VLANs to which the untagged port belongs. The following is an
example configuration.

TurboIron#conf t

TurboIron(config)#vlan 1 name DEFAULT-VLAN by port

TurboIron(config-vlan-1)#ip-subnet 192.168.10.0 255.255.255.0

TurboIron(config-vlan-ip-subnet)#static ethe 1

TurboIron(config-vlan-ip-subnet)#router-interface ve 10

TurboIron(config-vlan-ip-subnet)#ip-subnet 10.15.1.0 255.255.255.0

TurboIron(config-vlan-ip-subnet)#static ethe 1

TurboIron(config-vlan-ip-subnet)#router-interface ve 20

TurboIron(config-vlan-ip-subnet)#logging console

TurboIron(config-vlan-ip-subnet)#exit

TurboIron(config-vlan-1)#no vlan-dynamic-discovery

Vlan dynamic discovery is disabled

TurboIron(config-vlan-1)#int e 2

TurboIron(config-if-e10000-2)#disable

TurboIron(config-if-e10000-2)#interface ve 10

TurboIron(config-vif-10)#ip address 192.168.10.254 255.255.255.0

TurboIron(config-vif-10)#int ve 20

TurboIron(config-vif-20)#ip access-group test1 in

TurboIron(config-vif-20)#ip address 10.15.1.10 255.255.255.0

TurboIron(config-vif-20)#exit

TurboIron(config)#ip access-list extended test1

TurboIron(config-ext-nACL)#permit ip 10.15.1.0 0.0.0.255 any log

TurboIron(config-ext-nACL)#permit ip 192.168.10.0 0.0.0.255 any log

TurboIron(config-ext-nACL)#end

TurboIron#

Enabling ACL logging

You may want the software to log entries in the Syslog for packets that are denied by ACL filters.
ACL logging is disabled by default; it must be explicitly enabled on a port.

When you enable logging for ACL entries, statistics for packets that match the deny conditions of
the ACL entries are logged. For example, if you configure a standard ACL entry to deny all packets
from source address 10.157.22.26, statistics for packets that are explicitly denied by the ACL entry
are logged in the Syslog buffer and in SNMP traps sent by the device.

The first time an ACL entry denies a packet, the software immediately generates a Syslog entry and
an SNMP trap. The software also starts a five-minute timer. The timer keeps track of all packets
explicitly denied by the ACL entries. After five minutes, the software generates a single Syslog entry
for each ACL entry that denied a packet. The Syslog entry (message) indicates the number of
packets denied by the ACL entry during the previous five minutes. Note however that packet count
may be inaccurate if the packet rate is high and exceeds the CPU processing rate.

See also other documents in the category Brocade Computer Accessories: