Access Control Lists (ACLs) for the Series 5300xl Switches
Enable ACL “Deny” Logging
■ Debug must be enabled for ACLs and one or both of the following:
• logging (for sending messages to Syslog)
• Session (for sending messages to the current console interface)
ACL Logging Operation
When the switch detects a packet match with an ACE and the ACE includes
both the deny action and the optional log parameter, an ACL log message is
sent to the designated debug destination. The first time a packet matches an
ACE with deny and log configured, the message is sent immediately to the
destination and the switch starts a wait-period of approximately five minutes.
(The exact duration of the period depends on how the packets are internally
routed.) At the end of the collection period, the switch sends a single-line
summary of any additional “deny” matches for that ACE (and any other “deny”
ACEs for which the switch detected a match). If no further log messages are
generated in the wait-period, the switch suspends the timer and resets itself
to send a message as soon as a new “deny” match occurs. The data in the
message includes the information illustrated in figure
9-26.
Mar 1 10:04:45 18.28.227.101 ACL:
ACL 03/01/03 10:04:45: denied tcp 13.28.227.3 (1025) (VLAN 227) -> 10.10.20.2 (23), 1 packets
Indicates the VLAN on which the
ACL is assigned, the packet’s
destination IP address, the
destination TCP or UDP port
number (“0” if the protocol is “IP”
or you do not specify a port
Begins the actual
message generated
by the ACL itself, and
indicates message
type (ACL), date and
time of generation.
Note: To fit this illustration on the page, the portion of the message generated by
the Syslog server itself is shown in the line above the portion of the message
generated by the switch. Depending on the terminal emulator you use, you may
see information similar to this, which includes the date and time the log message
was received, the IP address of the default VLAN on the sending switch, and the
message type (ACL).
ACL action (denied), protocol type
(IP, TCP, or UDP), source IP address
of the denied packet(s) and the TCP
or UDP port number at the source
device. The port number is “0” if the
protocol is “IP” or you do not specify
a port number.
Indicates the
number of
packets (deny
instances)
detected.
Figure 9-26. Content of an ACL-Generated Message
Enabling ACL Logging on the Switch
1. Use the debug command to:
a. Configure one or more log destinations.
9-60
To Next Page
Loading...
