5 monitoring acls, Monitoring acls -15, Section 24.5, "monitoring acls – Riverstone Networks WICT1-12 User Manual

Page 545

Advertising
background image

Riverstone Networks RS Switch Router User Guide Release 8.0 24-15

Access Control List Configuration

Monitoring ACLs

When ACL logging is turned on, the router prints out a message on the console about whether a packet is dropped or
forwarded. If you have a Syslog server configured for the RS, the same information will also be sent to the Syslog
server.

The following commands define an ACL and apply the ACL to an interface. In this case, logging is enabled for a
specific ACL rule:

For the above commands, the router prints out messages on the console only when packets that come from subnet
10.2.0.0/16 on interface ‘int1’ are dropped.

Note

If you want to enable per-rule logging, specify the

logging off

option for the

acl apply

command. This will enable logging only on the specified ACL rule

instead of logging on all ACL rules applied to the interface.

Before enabling ACL logging, you should consider its impact on performance. With ACL logging enabled, the router
prints out a message at the console before the packet is actually forwarded or dropped. Even if the console is connected
to the router at a high baud rate, the delay caused by the console message is still significant. This can get worse if the
console is connected at a low baud rate, for example, 1200 baud. Furthermore, if a Syslog server is configured, then a
Syslog packet must also be sent to the Syslog server, creating additional delay. Therefore, you should consider the
potential performance impact before turning on ACL logging.

24.5 MONITORING ACLS

The RS provides a display of ACL configurations active in the system.

To display ACL information, enter the following commands in Enable mode.

acl 101 deny ip 10.2.0.0/16 any any any log

acl 101 permit ip any any any any

acl 101 apply interface int1 input logging off

Show all ACLs.

acl show all

Show a specific ACL.

acl show aclname

<name>

| all

Show an ACL on a specific interface.

acl show interface

<name>

Show ACLs on all IP interfaces.

acl show interface all-ip

Show static entry filters.

acl show service

Advertising
Popular Brands
Popular manuals