Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x

411

412

413

414

415

416

417

418

419

420

PowerConnect B-Series TI24X Configuration Guide 381

53-1002269-02

Enabling ACL logging

PowerConnect(config-vlan-ip-subnet)# router-interface ve 20

PowerConnect(config-vlan-ip-subnet)# logging console

PowerConnect(config-vlan-ip-subnet)# exit

PowerConnect(config-vlan-1)# no vlan-dynamic-discovery

Vlan dynamic discovery is disabled

PowerConnect(config-vlan-1)# int e 2

PowerConnect(config-if-e10000-2)# disable

PowerConnect(config-if-e10000-2)# interface ve 10

PowerConnect(config-vif-10)# ip address 192.168.10.254 255.255.255.0

PowerConnect(config-vif-10)# int ve 20

PowerConnect(config-vif-20)# ip access-group test1 in

PowerConnect(config-vif-20)# ip address 10.15.1.10 255.255.255.0

PowerConnect(config-vif-20)# exit

PowerConnect(config)# ip access-list extended test1

PowerConnect(config-ext-nACL)# permit ip 10.15.1.0 0.0.0.255 any log

PowerConnect(config-ext-nACL)# permit ip 192.168.10.0 0.0.0.255 any log

PowerConnect(config-ext-nACL)# end

PowerConnect#

Enabling ACL logging

You may want the software to log entries in the Syslog for packets that are denied by ACL filters.

ACL logging is disabled by default; it must be explicitly enabled on a port.

When you enable logging for ACL entries, statistics for packets that match the deny conditions of

the ACL entries are logged. For example, if you configure a standard ACL entry to deny all packets

from source address 209.157.22.26, statistics for packets that are explicitly denied by the ACL

entry are logged in the Syslog buffer and in SNMP traps sent by the device.

The first time an ACL entry denies a packet, the software immediately generates a Syslog entry and

an SNMP trap. The software also starts a five-minute timer. The timer keeps track of all packets

explicitly denied by the ACL entries. After five minutes, the software generates a single Syslog entry

for each ACL entry that denied a packet. The Syslog entry (message) indicates the number of

packets denied by the ACL entry during the previous five minutes. Note however that packet count

may be inaccurate if the packet rate is high and exceeds the CPU processing rate.

If no ACL entries explicitly deny packets during an entire five-minute timer interval, the timer stops.

The timer restarts when an ACL entry explicitly denies a packet.

NOTE

The timer for logging packets denied by Layer 2 filters is a different timer than the ACL logging timer.

Configuration notes

Note the following before configuring ACL logging:

• You can enable ACL logging on physical and virtual interfaces.

• ACL logging logs denied packets only.

• When ACL logging is disabled, packets that match the ACL rule are forwarded or dropped in

hardware. When ACL logging is enabled, all packets that match the ACL deny rule are sent to

the CPU. When ACL logging is enabled, Dell recommends that you configure a traffic

conditioner, then link the ACL to the traffic conditioner to prevent CPU overload. For example: