Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
291292293294295296297298299300
(The exact duration of the period depends on how the packets are internally routed.) At the end
of the collection period, the switch sends a single-line summary of any additional deny or permit
matches for that ACE (and any other “deny” or “permit” ACEs for which the switch detected a
match).
If no further log messages are generated in the wait-period, the switch suspends the timer and
resets itself to send a message as soon as a new “deny” or “permit” match occurs. If subsequent
packets matching the already logged ACL entries are detected, then a new logged event will be
generated that summarizes the number of packets that matched each specific entry (with the time
period). The data in the message includes the information illustrated in Figure 10-43.
Figure 206 Content of a message generated by an ACL-Deny action
Enabling ACL logging on the switch
1. If you are using a Syslog server, use the logging < ip-addr > command to configure the Syslog
server IPv4 address. Ensure that the switch can access any Syslog server you specify.
2. Use logging facility syslog to enable the logging for Syslog operation.
3. Use the debug destination command to configure one or more log destinations. Destination
options include logging and session. For more information, see the Management and
Configuration Guide for your switch.
4. Use debug acl or debug all to configure the debug operation to include ACL messages.
5. Configure one or more ACLs with the deny action and the log option.
Example
Suppose you want to configure the following operation:
On VLAN 10 configure an extended ACL with an ACL-ID of "NO-TELNET" and use the RACL
in option to deny Telnet traffic entering the switch from 10.10.10.3 to any routed destination.
Note: This assignment will not filter Telnet traffic from 10.10.10.3 to destinations on VLAN
10 itself.
Configure the switch to send an ACL log message to the current console session and to a
Syslog server at 10.10.20.3 on VLAN 20 if the switch detects a packet match denying a
Telnet attempt from 10.10.10.3.
This example assumes that IPv4 routing is already configured on the switch.
Figure 207 ACL log application
294 IPv4 Access Control Lists (ACLs)