Manualshelf

Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x
411412413414415416417418419420
382 PowerConnect B-Series TI24X Configuration Guide
53-1002269-02
Enabling ACL logging
13
PowerConnect(config)# traffic-policy TPD1 rate-limit fixed 100 exceed-action
drop
PowerConnect(config)# access-list 101 deny ip host 210.10.12.2 any
traffic-policy TPD1 log
ACL logging is intended for debugging purpose. Dell recommends that you disable ACL logging
after the debug session is over.
Configuration Tasks
To enable ACL logging, complete the following steps:
1. Create ACL entries with the log option
2. Enable ACL logging on individual ports
NOTE
The command syntax for enabling ACL logging is different on IPv4 devices than on IPv6
devices. See the configuration examples in the next section.
3. Bind the ACLs to the ports on which ACL logging is enabled
Example Configuration
The following shows an example configuration on an IPv4 device.
PowerConnect(config)# access-list 1 deny host 209.157.22.26 log
PowerConnect(config)# access-list 1 deny 209.157.29.12 log
PowerConnect(config)# access-list 1 deny host IPHost1 log
PowerConnect(config)# access-list 1 permit any
PowerConnect(config)# interface e 4
PowerConnect(config-if-e10000-4)# ACL-logging
PowerConnect(config-if-e10000-4)# ip access-group 1 in
The above commands create ACL entries that include the log option, enable ACL logging on
interface e 4, then bind the ACL to interface e 4. Statistics for packets that match the deny
statements will be logged.
Syntax: ACL-logging
The ACL-logging command applies to IPv4 devices only.
Displaying ACL Log Entries
The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry,
the software generates a Syslog message and an SNMP trap. Messages for packets permitted or
denied by ACLs are at the warning level of the Syslog.
When the first Syslog entry for a packet permitted or denied by an ACL is generated, the software
starts an ACL timer. After this, the software sends Syslog messages every five minutes. If an ACL
entry does not permit or deny any packets during the timer interval, the software does not generate
a Syslog entry for that ACL entry.
NOTE
For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be
enabled for the entry. The Syslog contains entries only for the ACL entries that deny packets and
have logging enabled.