KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

291

292

293

294

295

296

297

298

299

300

Inserting a remark for an ACE that already exists in an ACL

If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by

assigning it to the same number. (To configure a remark with the same number as a given ACE,

the remark must be configured first.) To assign a remark to the same number as an existing ACE:

1. Delete the ACE.

2. Configure the remark with the number you want assigned to the pair.

3. Re-Enter the deleted ACE with the number used to enter the remark.

Removing a remark from an existing ACE

If you want to remove a remark, but want to retain the ACE, do the following:

1. Use the Named ACL context to enter the ACL.

2. Using show run or show access-list < list-name > config, note the sequence

number and content of the ACE having a remark you want to remove.

3. Delete the ACE.

4. Using the same sequence number, re-enter the ACE.

Enable ACL “Deny” or “Permit” Logging

ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match

with an ACE that results in an explicit “deny” or “permit” action. You can use ACL logging to help:

• Test your network to ensure that your ACL configuration is detecting and denying or permitting

the IPv4 traffic you do not want forwarded.

• Receive notification when the switch detects attempts to forward IPv4 traffic you have designed

your ACLs to reject (deny) or allow (permit.)

The switch sends ACL messages to and optionally to the current console, Telnet, or SSH session.

You can use logging < > to configure up to six server destinations.

Requirements for using ACL Logging

• The switch configuration must include an ACL (1) assigned to a port, trunk, or static VLAN

interface and (2) containing an ACE configured with the deny or permit action and the log

option.

• If the RACL application is used, then IPv4 routing must be enabled on the switch.

• For ACL logging to a server:

The server must be accessible to the switch and identified in the running configuration.◦

◦ The logging facility must be enabled for.

◦ Debug must be configured to:

– support ACL messages

– send debug messages to the desired debug destination

These requirements are described in more detail under “Enabling ACL Logging on the Switch” on

page 10-114.

ACL Logging Operation

When the switch detects a packet match with an ACE and the ACE includes either the deny or

permit action, and the optional log parameter, an ACL log message is sent to the designated debug

destination.

The first time a packet matches an ACE with deny or permit and log configured, the message is

sent immediately to the destination and the switch starts a waitperiod of approximately five minutes.

Using 293