beautypg.com

Configuration tasks, Example configuration – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 952

background image

918

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Enabling ACL logging

If no ACL entries explicitly deny packets during an entire five-minute timer interval, the timer stops.
The timer restarts when an ACL entry explicitly denies a packet.

NOTE

The timer for logging packets denied by Layer 2 filters is a different timer than the ACL logging timer.

Configuration notes

Note the following before configuring ACL logging:

You can enable ACL logging on physical and virtual interfaces.

ACL logging logs denied packets only.

When ACL logging is disabled, packets that match the ACL rule are forwarded or dropped in
hardware. When ACL logging is enabled, all packets that match the ACL deny rule are sent to
the CPU. When ACL logging is enabled, Brocade recommends that you configure a traffic
conditioner, then link the ACL to the traffic conditioner to prevent CPU overload. For example:

TurboIron(config)#traffic-policy TPD1 rate-limit fixed 100 exceed-action drop

TurboIron(config)#access-list 101 deny ip host 10.10.12.2 any traffic-policy

TPD1 log

ACL logging is intended for debugging purpose. Brocade recommends that you disable ACL
logging after the debug session is over.

Configuration Tasks

To enable ACL logging, complete the following steps:

1. Create ACL entries with the log option

2. Enable ACL logging on individual ports

3. Bind the ACLs to the ports on which ACL logging is enabled

Example Configuration

The following shows an example configuration on an IPv4 device.

TurboIron(config)#access-list 1 deny host 10.157.22.26 log

TurboIron(config)#access-list 1 deny 10.157.29.12 log

TurboIron(config)#access-list 1 deny host IPHost1 log

TurboIron(config)#access-list 1 permit any

TurboIron(config)#interface e 4

TurboIron(config-if-e10000-4)#ACL-logging

TurboIron(config-if-e10000-4)#ip access-group 1 in

The above commands create ACL entries that include the log option, enable ACL logging on
interface e 4, then bind the ACL to interface e 4. Statistics for packets that match the deny
statements will be logged.

Syntax: ACL-logging

The ACL-logging command applies to IPv4 devices only.

See also other documents in the category Brocade Computer Accessories: