beautypg.com

Acl logging operation, Enabling acl logging on the switch, Acl logging operation -90 – HP 6200YL User Manual

Page 266: Enabling acl logging on the switch -90

background image

IPv6 Access Control Lists (ACLs)
Testing and Troubleshooting ACLs

ACL Logging Operation

When the switch detects a packet match with an ACE and the ACE includes
both the

deny action and the optional log parameter, an ACL log message is

sent to the designated debug destination. The first time a packet matches an
ACE with

deny and log configured, the message is sent immediately to the

destination and the switch starts a wait-period of approximately five minutes.
(The exact duration of the period depends on how the packets are internally
routed.) At the end of the collection period, the switch sends a single-line
summary of any additional “deny” matches for that ACE (and any other “deny”
ACEs for which the switch detected a match). If no further log messages are
generated in the wait-period, the switch suspends the timer and resets itself
to send a message as soon as a new “deny” match occurs. The data in the
message includes the information illustrated in figure 8-37.

ACL 12/01/08 10:04:45 List NO-TELNET, seq#10 denied tcp 2001:db8:0:1ae::1a:3(1612)
->2001:db8:0:1ad::1a:2(23) on vlan 1, port A7

Dec 1 10:04:45 2008:db8:0:1ad::1a:1 ACL:
ACL 12/01/08 10:04:45 : ACL NO-TELNET seq#10 denied 6 packets

Example of subsequent deny events
detected by the switch for the same ACE.

Example Syslog report of the first deny
event detected by the switch for this ACE.

Figure 8-37. Content of a Message Generated by an ACL-Deny Action

Enabling ACL Logging on the Switch

1. If you are using a Syslog server, use the

logging < ip-addr > command to

configure the Syslog server IP address(es). Ensure that the switch can
access any Syslog server(s) you specify.

2. Use

logging facility syslog to enable the logging for Syslog operation.

3. Use the

debug destination command to configure one or more log destina­

tions. (Destination options include

logging and session. For more informa­

tion on debug, refer to “Debug and Syslog Messaging Operation” in
appendix C, “Troubleshooting”, in the latest Management and Configu­
ration Guide

for your switch.)

4. Use

debug acl or debug all to configure the debug operation to include ACL

messages.

5. Configure an ACL with the

deny action and the log option in one or more

ACEs.

8-90

This manual is related to the following products:
See also other documents in the category HP Computer Accessories: