ACL logging

ACL logging is not supported for dynamic ACLs with multi-device port authentication and 802.1X.

Packets that are denied by ACL filters are logged in the Syslog based on a sample time-period.

You can enable ACL logging on physical and virtual interfaces.

When ACL logging is disabled, packets that match the ACL rule are forwarded or dropped in hardware.

ACL logging is supported for ACLs that are applied to network management access features such as Telnet, SSH, and SNMP.

When an ACL that includes an entry with a logging option is applied to a port that has logging enabled, if an ACL that includes an entry with a logging option is applied to another port in the same port region, then traffic on the latter port is also logged, whether logging is explicitly enabled for that latter port or not. If logging is enabled on multiple ports in the same port region, then logging will only be disabled if it is disabled on all the ports in the same port region.

NOTE

The above limitation applies only to IPv4 ACLs, it does not apply to the use of ACLs to log IPv6 traffic.

When ACL logging is enabled, packets sent to the CPU are automatically rate limited to prevent CPU overload.

ACL logging is intended for debugging purposes. Brocade recommends that you disable ACL logging after the debug session is over.

Configuration tasks for ACL logging

To enable ACL logging, complete the following steps:

1.Create ACL entries with the log option

2.Enable ACL logging on individual ports

NOTE

The command syntax for enabling ACL logging is different on IPv4 devices than on IPv6 devices. See the configuration examples in the next section.

3.Bind the ACLs to the ports on which ACL logging is enabled

Example ACL logging configuration

The following shows an example ACL logging configuration on an IPv4 device.

Brocade(config)# access-list 1 deny host 10.157.22.26 log

Brocade(config)# access-list 1 deny 10.157.29.12 log

Brocade(config)# access-list 1 deny host IPHost1 log

Brocade(config)# access-list 1 permit any

Brocade(config)# interface ethernet 1/1/4

Brocade(config-if-e10000-1/1/4)# ACL-logging

Brocade(config-if-e10000-1/1/4)# ip access-group 1 in

106

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 126
Image 126
Brocade Communications Systems 6650 manual Configuration tasks for ACL logging, Example ACL logging configuration