Configuration Guide User guide
1730 FastIron Configuration Guide
53-1002494-02
ACL logging
• When an ACL that includes an entry with a logging option is applied to a port that has logging
enabled, and then the same ACL is applied to another port on the same system, traffic on the
latter port is also logged, whether logging is explicitly enabled for that latter port or not.
On the other hand, when an ACL is applied to a port that has logging disabled, and then the
same ACL is applied to another port on the same system, traffic on the latter port is also not
logged, whether logging is explicitly enabled for that latter port or not.
NOTE
The above limitation applies only to IPv4 ACLs, it does not apply to the use of ACLs to log IPv6
traffic.
• When ACL logging is enabled on FastIron WS, Brocade FCX Series and ICX devices, packets
sent to the CPU are automatically rate limited to prevent CPU overload.
• When ACL logging is enabled on FastIron X Series devices, Brocade recommends that you
configure a traffic conditioner, then link the ACL to the traffic conditioner to prevent CPU
overload. For example:
Brocade(config)#traffic-policy TPD1 rate-limit fixed 100 exceed-action drop
Brocade(config)#access-list 101 deny ip host 210.10.12.2 any traffic-policy
TPD1 log
• ACL logging is intended for debugging purposes. Brocade recommends that you disable ACL
logging after the debug session is over.
Configuration tasks for ACL logging
To enable ACL logging, complete the following steps:
1. Create ACL entries with the log option
2. Enable ACL logging on individual ports
NOTE
The command syntax for enabling ACL logging is different on IPv4 devices than on IPv6
devices. See the configuration examples in the next section.
3. Bind the ACLs to the ports on which ACL logging is enabled
Example ACL logging configuration
The following shows an example ACL logging configuration on an IPv4 device.
Brocade(config)#access-list 1 deny host 209.157.22.26 log
Brocade(config)#access-list 1 deny 209.157.29.12 log
Brocade(config)#access-list 1 deny host IPHost1 log
Brocade(config)#access-list 1 permit any
Brocade(config)#interface e 1/4
Brocade(config-if-e1000-1/4)#ACL-logging
Brocade(config-if-e1000-1/4)#ip access-group 1 in
The above commands create ACL entries that include the log option, enable ACL logging on
interface e 1/4, then bind the ACL to interface e 1/4. Statistics for packets that match the deny
statements will be logged.