Acl logging, Displaying acl log entries – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 54

Advertising
background image

42

Brocade Virtual ADX Security Guide

53-1003250-01

ACL logging

2

To reapply ACLs following an ACL configuration change, enter the following command at the global
CONFIG level of the CLI.

Virtual ADX (config)#ip rebind-acl all

Syntax: [no] ip rebind-acl num | name | all

ACL logging

You may want the software to log entries for ACLs in the syslog. This section present the how
logging is processed by ACLs.

You can globally disable ACL logging without the need to remove the log option from each ACL
entry. When you globally disable ACL logging, the ACL entries remain unchanged but the log option
is ignored. You also can configure the device to copy traffic that is denied to an interface. This
option allows you to monitor the denied traffic without sending the traffic to the CPU.

To globally disable ACL logging, enter the following command at the global CONFIG level of the CLI.

Virtual ADX (config)#ip access-list disable-log-to-cpu

Syntax: [no] ip access-list disable-log-to-cpu

To re-enable ACL logging, enter the following command.

Virtual ADX (config)#no ip access-list disable-log-to-cpu

Copying denied traffic to a mirror port for monitoring

You can monitor the traffic denied by ACLs. To do so, attach a protocol analyzer to a port and
enable the device to redirect traffic denied by ACLs to that port.

To redirect traffic denied by ACLs, enter the following command at the interface configuration level.

Virtual ADX (config-if-1/1)#ip access-group redirect-deny-to-interf

Syntax: [no] ip access-group redirect-deny-to-interf

Enter the command on the port to which you want the denied traffic to be copied.

NOTE

The software requires that an ACL has already been applied to the interface.

When you enable redirection, the deny action of the ACL entry is still honored. Traffic that matches
the ACL is not forwarded.

Displaying ACL log entries

The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry,
the software generates a Syslog message and an SNMP trap. Messages for packets permitted or
denied by ACLs are at the warning level of the Syslog.

When the first Syslog entry for a packet permitted or denied by an ACL is generated, the software
starts an ACL timer. After this, the software sends Syslog messages every one to ten minutes,
depending on the value of the timer interval. If an ACL entry does not permit or deny any packets
during the timer interval, the software does not generate a Syslog entry for that ACL entry.

Advertising
Popular Brands
Popular manuals