Access Control
Overview
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4 397
22
• IP ACL—Examines the Layer 3 layer of IP frames, as described in IPv4-based ACLs
• IPv6 ACL—Examines the Layer 3 layer of IPv4 frames as described in Defining IPv6-
Based ACL
If a frame matches the filter in an ACL, it is defined as a flow with the name of that ACL. In
advanced QoS, these frames can be referred to using this Flow name, and QoS can be applied
to these frames.
ACL Logging
This feature enables adding a logging option to ACEs. When the feature is enabled, any packet
that was permitted or denied by the ACE, generates an informational SYSLOG message
related to it.
If ACL logging is enabled, it can be specified per interface by binding the ACL to an interface.
In this case, SYSLOGs are generated for packets that matched the permit or deny ACEs
associated with the interface.
A flow is defined as a stream of packets with identical characteristics, as follows:
• Layer 2 Packets—Identical source and destination MAC addresses
• Layer 3 Packets—Identical source and destination IP addresses
• Layer 4 Packets—Identical source and destination IP and L4 port
For any new flow, the first packet that is trapped from a specific interface causes the
generation of an informational SYSLOG message. Additional packets from the same flow are
trapped to the CPU, but SYSLOG messages for this flow are limited to one message every 5
minutes. This SYSLOG informs that at least one packet was trapped in the last 5 minutes.
After handling the trapped packet, the packets are forwarded in case of permit and discarded in
case of deny.
The number of supported flows is 150 flows per unit:
SYSLOGs
The SYSLOG messages are in Informational severity, and state if the packet matched a deny
rule or a permit rule.
• For layer 2 packets, the SYSLOG includes the information (if applicable): source
MAC, destination MAC, Ethertype, VLAN-ID, and CoS queue.
• For Layer 3 packets, the SYSLOG includes the information (if applicable): source IP,
destination IP address, protocol, DSCP value, ICMP type, ICMP code, and IGMP type.
To Next Page
Loading...
Need help?
General
