1-39
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring Network Security with ACLs
Configuring VLAN Maps
Configuring VACL Logging
When you configure VACL logging, syslog messages are generated for denied IP packets under these
circumstances:
• When the first matching packet is received.
• For any matching packets received within the last 5 minutes.
• If the threshold is reached before the 5-minute interval.
Log messages are generated on a per-flow basis. A flow is defined as packets with the same IP addresses and
Layer 4 (UDP or TCP) port numbers.
If a flow does not receive any packets in the 5-minute interval, that
flow is removed from the cache. When a syslog message is generated, the timer and packet counter are
reset.
VACL logging restrictions:
• Only denied IP packets are logged.
• Packets that require logging on the outbound port ACLs are not logged if they are denied by a VACL.
Beginning in privileged EXEC mode:
Command Purpose
Step 1
configure terminal Enter the global configuration mode.
Step 2
vlan access-map name [number] Create a VLAN map. Give it a name and optionally a number. The number
is the sequence number of the entry within the map.
The sequence number range is from 0 to 65535.
When you create VLAN maps with the same name, numbers are assigned
sequentially in increments of 10. When modifying or deleting maps, you can
enter the number of the map entry that you want to modify or delete.
Specifying the map name and optionally a number enters the access-map
configuration mode.
Step 3
action drop log Set the VLAN access map to drop and log IP packets.
Step 4
exit Exit the VLAN access map configuration mode and return to the global
configuration mode.
Step 5
vlan access-log {maxflow
max_number | threshold pkt_count}
Configure the VACL logging parameters.
• maxflow max_number—Set the log table size. The content of the log
table can be deleted by setting the maxflow to 0. When the log table is
full, the software drops logged packets from new flows.
The range is from 0 to 2048. The default is 500.
• threshold pkt_count—Set the logging threshold. A logging message is
generated if the threshold for a flow is reached before the 5-minute interval.
The threshold range is from 0 to 2147483647. The default threshold is
0, which means that a syslog message is generated every 5 minutes.
Step 6
exit Return to privileged EXEC mode.
Step 7
show vlan access-map Verify your entries.
Step 8
copy running-config startup-config (Optional) Save your entries in the configuration file.
To Next Page
Loading...
Need help?
General
