Acl logging, Configuration notes for acl logging – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 125

background image

Brocade ICX 6650 Security Configuration Guide

105

53-1002601-01

ACL logging

Brocade(config-vlan-1)# no vlan-dynamic-discovery
Vlan dynamic discovery is disabled
Brocade(config-vlan-1)# interface ethernet 1/1/2
Brocade(config-if-e1000-2)# disable
Brocade(config-if-e1000-2)# interface ve 10
Brocade(config-vif-10)# ip address 192.168.10.254 255.255.255.0
Brocade(config-vif-10)# interface ve 20
Brocade(config-vif-20)# ip access-group test1 in
Brocade(config-vif-20)# ip address 10.15.1.10 255.255.255.0
Brocade(config-vif-20)# exit
Brocade(config)# ip access-list extended test1
Brocade(config-ext-nACL)# permit ip 10.15.1.0 0.0.0.255 any log
Brocade(config-ext-nACL)# permit ip 192.168.10.0 0.0.0.255 any log
Brocade(config-ext-nACL)# end
Brocade#

ACL logging

Brocade devices support ACL logging of inbound packets that are sent to the CPU for processing
(denied packets).

NOTE

ACL logging is not supported for outbound packets or any packets that are processed in hardware
(permitted packets).

You may want the software to log entries in the syslog for packets that are denied by ACL filters.
ACL logging is disabled by default; it must be explicitly enabled on a port.

When you enable logging for ACL entries, statistics for packets that match the deny conditions of
the ACL entries are logged. For example, if you configure a standard ACL entry to deny all packets
from source address 10.157.22.26, statistics for packets that are explicitly denied by the ACL entry
are logged in the Syslog buffer and in SNMP traps sent by the Brocade device.

The first time an ACL entry denies a packet, the software immediately generates a Syslog entry and
an SNMP trap. The software also starts a five-minute timer. The timer keeps track of all packets
explicitly denied by the ACL entries. After five minutes, the software generates a single Syslog entry
for each ACL entry that denied a packet. The Syslog entry (message) indicates the number of
packets denied by the ACL entry during the previous five minutes. Note however that packet count
may be inaccurate if the packet rate is high and exceeds the CPU processing rate.

If no ACL entries explicitly deny packets during an entire five-minute timer interval, the timer stops.
The timer restarts when an ACL entry explicitly denies a packet.

NOTE

The timer for logging packets denied by MAC address filters is a different timer than the ACL logging
timer.

Configuration notes for ACL logging

Note the following points before configuring ACL logging:

ACL logging is supported for denied packets, which are sent to the CPU for logging. ACL logging
is not supported for permitted packets.