User Manual

ManualsBrandsCabletron ManualsCables & InterconnectsCabletron Tpfot-2 10BT Transceiver 1 RJ45 Utp to 1 St MMf

401

402

403

404

405

406

407

408

409

410

Enabling ACL Logging

384 Enterasys X-Pedition User Reference Manual

Enabling ACL Logging

To see whether incoming packets are permitted or denied because of an ACL, enable ACL logging.

You can enable logging when applying the ACL or you can enable logging for a specific ACL rule.

The following commands define an ACL and apply the ACL to an interface, with logging enabled

for the ACL:

With ACL logging turned on, the router prints a message on the console to indicate whether a

packet was dropped or forwarded. If you have a Syslog server configured for the XP, the same

information will also be sent to the Syslog server. The following commands define an ACL and

apply the ACL to an interface. In this case, logging is enabled for a specific ACL rule:

For the above commands, the router prints out messages on the console only when packets that

come from subnet 10.2.0.0/16 on interface ‘int1’ are dropped.

Note: When logging is enabled on a per-rule basis, you do not need to specify the logging on

option when applying the ACL to an interface. With per-rule logging enabled, only the

logging off option has an effect when the ACL is applied; this option turns off all ACL

logging.

When applying an ACL to an interface, you may also specify the following logging options:

deny-only Only packets denied by this ACL will be logged.

deny-syslog Only packets denied by this ACL will be logged, and messages will be sent

only to a syslog server (if configured), and not to the console.

permit-only Only packets permitted by this ACL will be logged.

permit-syslog Only packets permitted by this ACL will be logged, and messages will be sent

only to a syslog server (if configured), and not to the console.

on-syslog All ACL events (permitted and denied packets) will be logged, with messages

only being sent to a syslog server (if configured), and not to the console.

Under normal circumstances, when an ACL denies a particular traffic pattern, only the first packet

denied will be reported. Subsequent packets that are similar to the first packet will be dropped by

the hardware with no reporting. In situations where it is necessary to see exactly how much traffic

has been denied, you may use the report-denied configuration option. The report-denied option

can be specified when applying an ACL to either an interface or a port. This option has two sub-

options:

acl 101 deny ip 10.2.0.0/16 any any any

acl 101 permit ip any any any any

acl 101 apply interface int1 input logging on

acl 101 deny ip 10.2.0.0/16 any any any log

acl 101 permit ip any any any any

acl 101 apply interface int1 input