To Next Page

To Previous Page

6. If the configuration appears satisfactory, save it to the startup-config file:

HP Switch(config)# write memory

Enable IPv6 ACL "deny" logging

ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match

with an ACE that results in an explicit "deny" action. You can use ACL logging to help:

• Test your network to help ensure that your ACL configuration is detecting and denying the

incoming IPv6 traffic you do not want to enter the switch.

• Receive notification when the switch denies inbound IPv6 traffic you have designed your ACLs

to reject (deny).

The switch sends ACL messages to syslog and optionally to the current console, Telnet, or SSH

session. You can use logging < > to configure up to six syslog server destinations.

Requirements for using IPv6 ACL logging

• The switch configuration must include an ACL:

Assigned to a port, trunk, or static VLAN interface1.

2. Containing an ACE configured with the deny action and the log option.

• For IPv6 ACL logging to a Syslog server:

The server must be accessible to the switch and identified in the running configuration.◦

◦ The logging facility must been enabled for Syslog.

◦ Debug must be configured to:

– support ACL messages

– send debug messages to the desired debug destination

These requirements are described in more detail under “Enabling ACL logging on the switch”

(page 106).

ACL logging operation

When the switch detects a packet match with an ACE and the ACE includes the deny action and

the optional log parameter, an ACL log message is sent to the designated debug destination. The

first time a packet matches an ACE with deny and log configured, the message is sent immediately

to the destination and the switch starts a wait-period of approximately five minutes. (The exact

duration of the period depends on how the packets are internally routed.) At the end of the collection

period, the switch sends a single-line summary of any additional "deny" matches for that ACE (and

any other "deny" ACEs for which the switch detected a match). If no further log messages are

generated in the wait-period, the switch suspends the timer and resets itself to send a message as

soon as a new "deny" match occurs. The data in the message includes the information in

Example 50 (page 106).

Enable IPv6 ACL "deny" logging 105

HP 2530 User Manual

Other manuals for HP 2530