KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

331

332

333

334

335

336

337

338

339

340

Enabling ACL "Deny" logging

ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match

with an ACE that results in an explicit "deny" action. You can use ACL logging to help:

• Test your network to ensure that your ACL configuration is detecting and denying the IPv4

traffic you do not want forwarded

• Receive notification when the switch detects attempts to forward IPv4 traffic you have designed

your ACLs to reject (deny)

The switch sends ACL messages to Syslog and optionally to the current console, Telnet, or SSH

session. You can use logging < > to configure up to six Syslog server destinations.

Requirements for using ACL logging

• The switch configuration must include an ACL assigned to a port, trunk, or static VLAN interface.

This ACL must contain an ACE configured with the deny action and the log option.

• If the RACL application is used, then IPv4 routing must be enabled on the switch.

• For ACL logging to a Syslog server:

The server must be accessible to the switch and identified in the running configuration.•

• The logging facility must be enabled for Syslog.

• Debug must be configured to:

• support ACL messages

• send debug messages to the desired debug destination

These requirements are described in more detail under “Enabling ACL logging on the switch”

(page 294).

ACL logging operation

When the switch detects a packet match with an ACE and the ACE includes both the deny action

and the optional log parameter, anACL log message is sent to the designated debug destination.

The first time a packet matches an ACE with deny and log configured, the message is sent

immediately to the destination and the switch starts a wait-period of approximately five minutes -

the exact duration of the period depends on how the packets are internally routed. At the end of

the collection period, the switch sends a single-line summary of any additional "deny" matches for

that ACE, and any other "deny" ACEs for which the switch detected a match. If no further log

messages are generated in the wait-period, the switch suspends the timer and resets itself to send

a message as soon as a new "deny" match occurs. The data in the message includes the information

illustrated in figure.

Figure 242 Content of a message generated by an ACL-deny action

Syntax:

show statistics

aclv4 acl-name-str port port-#

aclv4 acl-name-str vlan vid < in | out | vlan >

aclv6 acl-name-str port port-#

332 IPv4 Access Control Lists (ACLs)