Access Control
Overview
573 Cisco Sx350, SG350X, SG350XG, Sx550X & SG550XG Series Managed Switches, Firmware Release 2.2.5.x
26
• IPv6 ACL—Examines the Layer 3 layer of IPv4 frames as described in Defining IPv6-
Based ACL
If a frame matches the filter in an ACL, it is defined as a flow with the name of that ACL. In
advanced QoS, these frames can be referred to using this Flow name, and QoS can be applied
to these frames.
ACL Logging
This feature enables adding a logging option to ACEs. When the feature is enabled, any packet
that was permitted or denied by the ACE, generates an informational SYSLOG message
related to it.
If ACL logging is enabled, it can be specified per interface by binding the ACL to an interface.
In this case, SYSLOGs are generated for packets that matched the permit or deny ACEs
associated with the interface.
A flow is defined as a stream of packets with identical characteristics, as follows:
• Layer 2 Packets—Identical source and destination MAC addresses
• Layer 3 Packets—Identical source and destination IP addresses
• Layer 4 Packets—Identical source and destination IP and L4 port
For any new flow, the first packet that is trapped from a specific interface causes the
generation of an informational SYSLOG message. Additional packets from the same flow are
trapped to the CPU, but SYSLOG messages for this flow are limited to one message every 5
minutes. This SYSLOG informs that at least one packet was trapped in the last 5 minutes.
After handling the trapped packet, the packets are forwarded in case of permit and discarded in
case of deny.
The number of supported flows is as follows:
• SG350xx Family—150 per unit
• SG550XG Family—150 per unit in the stack
SYSLOGs
The SYSLOG messages are in Informational severity, and state if the packet matched a deny
rule or a permit rule.
• For layer 2 packets, the SYSLOG includes the information (if applicable): source
MAC, destination MAC, Ethertype, VLAN-ID, and CoS queue.
To Next Page
Loading...
Need help?
General
