Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
919293949596979899100
ServerIron ADX NAT64 Configuration Guide 83
53-1002444-02
ACL logging
5
DRAFT: BROCADE CONFIDENTIAL
Syslog message for changed ACL mode
If the device changes the ACL mode from rule-based to flow-based, the device generates one of the
following syslog notification messages:
ACL insufficient L4 session resource, using flow-based ACL instead.
ACL exceed max DMA L4 CAM resource, using flow-based ACL instead. Refer to “Specifying the
maximum number of CAM entries” on page 64.
ACL insufficient L4 CAM resource, using flow-based ACL instead.
Copying denied traffic to a mirror port for monitoring
Although rule-based ACLs do not support ACL logging, you nonetheless can monitor the traffic
denied by rule-based ACLs. To do so, attach a protocol analyzer to a port and enable the device to
redirect traffic denied by ACLs to that port.
To redirect traffic denied by ACLs, enter the following command at the interface configuration level.
ServerIronADX(config-if-1/1)# ip access-group redirect-deny-to-interf
Syntax: [no] ip access-group redirect-deny-to-interf
Enter the command on the port to which you want the denied traffic to be copied.
NOTE
The software requires that an ACL has already been applied to the interface.
When you enable redirection, the deny action of the ACL entry is still honored. Traffic that matches
the ACL is not forwarded.
Displaying ACL log entries
The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry,
the software generates a syslog message and an SNMP trap. Messages for packets permitted or
denied by ACLs are at the warning level of the syslog.
When the first syslog entry for a packet permitted or denied by an ACL is generated, the software
starts an ACL timer. After this, the software sends syslog messages every one to ten minutes,
depending on the value of the timer interval. If an ACL entry does not permit or deny any packets
during the timer interval, the software does not generate a syslog entry for that ACL entry.
NOTE
For an ACL entry to be eligible to generate a syslog entry for permitted or denied packets, logging
must be enabled for the entry. The syslog contains entries only for the ACL entries that deny packets
and have logging enabled.
To display syslog entries, enter the following command from any CLI prompt.