Brocade Communications Systems Brocade ICX 6650 6650 User Manual
106
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
ACL logging
•
ACL logging is not supported for dynamic ACLs with multi-device port authentication and
802.1X.
802.1X.
•
Packets that are denied by ACL filters are logged in the Syslog based on a sample time-period.
•
You can enable ACL logging on physical and virtual interfaces.
•
When ACL logging is disabled, packets that match the ACL rule are forwarded or dropped in
hardware.
hardware.
•
ACL logging is supported for ACLs that are applied to network management access features
such as Telnet, SSH, and SNMP.
such as Telnet, SSH, and SNMP.
•
When an ACL that includes an entry with a logging option is applied to a port that has logging
enabled, if an ACL that includes an entry with a logging option is applied to another port in the
same port region, then traffic on the latter port is also logged, whether logging is explicitly
enabled for that latter port or not. If logging is enabled on multiple ports in the same port
region, then logging will only be disabled if it is disabled on all the ports in the same port
region.
enabled, if an ACL that includes an entry with a logging option is applied to another port in the
same port region, then traffic on the latter port is also logged, whether logging is explicitly
enabled for that latter port or not. If logging is enabled on multiple ports in the same port
region, then logging will only be disabled if it is disabled on all the ports in the same port
region.
NOTE
The above limitation applies only to IPv4 ACLs, it does not apply to the use of ACLs to log IPv6
traffic.
traffic.
•
When ACL logging is enabled, packets sent to the CPU are automatically rate limited to prevent
CPU overload.
CPU overload.
•
ACL logging is intended for debugging purposes. Brocade recommends that you disable ACL
logging after the debug session is over.
logging after the debug session is over.
Configuration tasks for ACL logging
To enable ACL logging, complete the following steps:
1. Create ACL entries with the log option
2. Enable ACL logging on individual ports
NOTE
The command syntax for enabling ACL logging is different on IPv4 devices than on IPv6
devices. See the configuration examples in the next section.
devices. See the configuration examples in the next section.
3. Bind the ACLs to the ports on which ACL logging is enabled
Example ACL logging configuration
The following shows an example ACL logging configuration on an IPv4 device.
Brocade(config)# access-list 1 deny host 10.157.22.26 log
Brocade(config)# access-list 1 deny 10.157.29.12 log
Brocade(config)# access-list 1 deny host IPHost1 log
Brocade(config)# access-list 1 permit any
Brocade(config)# interface ethernet 1/1/4
Brocade(config-if-e10000-1/1/4)# ACL-logging
Brocade(config-if-e10000-1/1/4)# ip access-group 1 in
Brocade(config)# access-list 1 deny 10.157.29.12 log
Brocade(config)# access-list 1 deny host IPHost1 log
Brocade(config)# access-list 1 permit any
Brocade(config)# interface ethernet 1/1/4
Brocade(config-if-e10000-1/1/4)# ACL-logging
Brocade(config-if-e10000-1/1/4)# ip access-group 1 in