Access Control Lists (ACLs) for the Series 5300xl Switches
Enable ACL “Deny” Logging
Note If a transport error occurs, the switch does not execute the command and the
ACL is not configured.
3. Next, assign the new ACL to the intended VLAN which, in this example,
is for inbound traffic on VLAN 20.
HPswitch(config)# vlan 20 ip access-group “Controls for VLAN 20" in
4. Inspect the new running configuration:
HPswitch(config)# show running
5. If the configuration appears satisfactory, save it to the startup-config file:
HPswitch(config)# write memory
Enable ACL “Deny” Logging
ACL logging enables the switch to generate a message when IP traffic meets
the criteria for a match with an ACE that results in an explicit “deny” action.
You can use ACL logging to help:
■ Test your network to ensure that your ACL configuration is detecting
and denying the traffic you do not want forwarded
■ Receive notification when the switch detects attempts to transmit
traffic you have designed your ACLs to reject
The switch sends ACL messages to Syslog and optionally to the current
console, Telnet, or SSH session. You can configure up to six Syslog server
destinations.
Requirements for Using ACL Logging
■ The switch configuration must include an ACL (1) assigned to a static
VLAN and (2) containing an ACE configured with the deny action and
the log option.
■ To screen routed packets with destination IP addresses outside of the
switch, IP routing must be enabled.
■ For ACL logging to a Syslog server, the server must be accessible to
the switch and identified (with the logging < ip-addr > command) in
the switch configuration.
9-59
To Next Page
Loading...
Need help?
General