Acl logging, Syslog message for changed acl mode – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

70

ServerIron ADX Security Guide

53-1002440-03

ACL logging

2

ACL logging

You may want the software to log entries for ACLs in the syslog. This section present the how
logging is processed by rule-based ACLs.

Rule-based ACLs do not support the log option. Even when rule-based ACLs are enabled, if an ACL
entry has the log option, traffic that matches that ACL is sent to the CPU for processing. Depending
on how many entries have the log option and how often packets match those entries, ACL
performance can be affected.

If your configuration already contains ACLs that you want to use with rule-based ACLs, but some of
the ACLs contain the log option, the software changes the ACL mode to flow-based for the traffic
flows that match the ACL. Changing the mode to flow-based enables the device to send the
matching flows to the CPU for processing. This is required because the CPU is needed to generate
the Syslog message.

You can globally disable ACL logging without the need to remove the log option from each ACL
entry. When you globally disable ACL logging, the ACL entries remain unchanged but the log option
is ignored and the ACL can use the rule-based ACL mode. This enables you to use the ACLs in the
rule-based ACL mode. You also can configure the device to copy traffic that is denied by a
rule-based ACL to an interface. This option allows you to monitor the denied traffic without sending
the traffic to the CPU.

To globally disable ACL logging, enter the following command at the global CONFIG level of the CLI.

ServerIronADX(config)# ip access-list disable-log-to-cpu

Syntax: [no] ip access-list disable-log-to-cpu

To re-enable ACL logging, enter the following command.

ServerIronADX(config)# no ip access-list disable-log-to-cpu

Syslog message for changed ACL mode

If the device changes the ACL mode from rule-based to flow-based, the device generates one of the
following Syslog notification messages:

•

ACL insufficient L4 session resource, using flow based ACL instead.

•

ACL exceed max DMA L4 cam resource, using flow based ACL instead. Refer to

“Specifying the

maximum number of CAM entries for rule-based ACLs”

on page 54.

•

ACL insufficient L4 cam resource, using flow based ACL instead.

Copying denied traffic to a mirror port for monitoring

Although rule-based ACLs do not support ACL logging, you nonetheless can monitor the traffic
denied by rule-based ACLs. To do so, attach a protocol analyzer to a port and enable the device to
redirect traffic denied by ACLs to that port.

To redirect traffic denied by ACLs, enter the following command at the interface configuration level.

ServerIronADX(config-if-1/1)# ip access-group redirect-deny-to-interf

Syntax: [no] ip access-group redirect-deny-to-interf

Enter the command on the port to which you want the denied traffic to be copied.