Configuration tasks for acl logging, Example acl logging configuration – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 127

Advertising
background image

NOTE
The above limitation applies only to IPv4 ACLs, it does not apply to the use of ACLs to log IPv6 traffic.

• When ACL logging is enabled on Brocade FCX Series and ICX devices, packets sent to the CPU are

automatically rate limited to prevent CPU overload.

• When ACL logging is enabled on FastIron X Series devices, Brocade recommends that you

configure a traffic conditioner, then link the ACL to the traffic conditioner to prevent CPU overload.
For example:

device(config)#traffic-policy TPD1 rate-limit fixed 100 exceed-action drop

device(config)#access-list 101 deny ip host 10.10.12.2 any traffic-policy TPD1 log

• ACL logging is intended for debugging purposes. Brocade recommends that you disable ACL logging

after the debug session is over.

Configuration tasks for ACL logging

To enable ACL logging, complete the following steps:

1. Create ACL entries with the log option
2. Enable ACL logging on individual ports

NOTE
The command syntax for enabling ACL logging is different on IPv4 devices than on IPv6 devices.
See the configuration examples in the next section.

3. Bind the ACLs to the ports on which ACL logging is enabled

Example ACL logging configuration

The following shows an example ACL logging configuration on an IPv4 device.

device(config)#access-list 1 deny host 10.157.22.26 log

device(config)#access-list 1 deny 10.157.29.12 log

device(config)#access-list 1 deny host IPHost1 log

device(config)#access-list 1 permit any

device(config)#interface e 1/4

device(config-if-e1000-1/4)#ACL-logging

device(config-if-e1000-1/4)#ip access-group 1 in

The above commands create ACL entries that include the log option, enable ACL logging on interface e
1/4, then bind the ACL to interface e 1/4. Statistics for packets that match the deny statements will be
logged.

Syntax: ACL-logging

The ACL-logging command applies to IPv4 devices only. For IPv6 devices, use the logging-enable
command as shown in the following example.

The following shows an example configuration on an IPv6 device.

device(config)#ipv6 acc ACL_log_v6

device(config-ipv6-access-list ACL_log_v6)#logging-enable

device(config-ipv6-access-list ACL_log_v6)# deny ipv6 host 2001:DB8::1 any log

device(config-ipv6-access-list ACL_log_v6)#inter e 9/12

device(config-if-e1000-9/12)#ipv6 traffic-filter ACL_log_v6 in

Configuration tasks for ACL logging

FastIron Ethernet Switch Security Configuration Guide

127

53-1003088-03

Advertising
Popular Brands
Popular manuals