beautypg.com

Enabling acl logging – Cabletron Systems SMARTSWITCH ROUTER 9032578-05 User Manual

Page 299

background image

SmartSwitch Router User Reference Manual

273

Chapter 19: Access Control List Configuration Guide

Enabling ACL Logging

To see whether incoming packets are permitted or denied because of an ACL, you can
enable ACL logging. You can enable logging when applying the ACL or you can enable
logging for a specific ACL rule.

The following commands define an ACL and apply the ACL to an interface, with logging
enabled for the ACL:

When ACL logging is turned on, the router prints out a message on the console about
whether a packet is dropped or forwarded. If you have a Syslog server configured for the
SSR, the same information will also be sent to the Syslog server.

The following commands define an ACL and apply the ACL to an interface. In this case,
logging is enabled for a specific ACL rule:

For the above commands, the router prints out messages on the console only when
packets that come from subnet 10.2.0.0/16 on interface ‘int1’ are dropped.

Note that when logging is enabled on a per-rule basis, you do not need to specify the
logging on

option when the ACL is applied to an interface. With per-rule logging enabled,

only the logging off option has an effect when the ACL is applied; this option turns off all
ACL logging.

Before enabling ACL logging, you should consider its impact on performance. With ACL
logging enabled, the router prints out a message at the console before the packet is
actually forwarded or dropped. Even if the console is connected to the router at a high
baud rate, the delay caused by the console message is still significant. This can get worse if
the console is connected at a low baud rate, for example, 1200 baud. Furthermore, if a
Syslog server is configured, then a Syslog packet must also be sent to the Syslog server,
creating additional delay. Therefore, you should consider the potential performance
impact before turning on ACL logging.

acl 101 deny ip 10.2.0.0/16 any any any
acl 101 permit ip any any any any
acl 101 apply interface int1 input logging on

acl 101 deny ip 10.2.0.0/16 any any any log
acl 101 permit ip any any any any
acl 101 apply interface int1 input

See also other documents in the category Cabletron Systems Hardware: