Switches, Hubs, and Modems
1748116 Members
3481 Online
108758 Solutions
New Discussion юеВ

Re: acl deny & log

 
SOLVED
Go to solution
Mauro Furini
Frequent Advisor

acl deny & log

Hi all,
recently I have configured acl on two 6200yl with a "deny ip any any log" at the end. They works fine, except for log.
I cannot see any statement of acl log in the various way of logging (buffer, session and syslog server). I try to enable any other log (vrrp, lldp, security) and every one report some messages.
I controlled the statistic of the acl deny and I have a lot of packets matching the deny rule...
Some ideas?
Thank's in advance.
7 REPLIES 7
Antonio Milanese
Trusted Contributor

Re: acl deny & log

Hi Mauro,

you need to enable:

debug acl

yes even if it's an _explict_ deny
check the section "Enable ACL ├в Deny├в Logging" of the manual for the other details (f.e. timers)

Regards,
Antonio
Mauro Furini
Frequent Advisor

Re: acl deny & log

Hi Antonio,
thank's for the reply. Debugging was already enabled, here the show debug:

UGFNAS091# sh debug

Debug Logging

Source IP Selection: Outgoing Interface
Destination:
Memory buffer

Enabled debug types:
acl log

I have tried the vrrp and lldp log, and they works fine also to the buffer, the syslog and the session too. Only the acl log seems not to work.
In the manual a probably cause of that point to the too many log at the same time from different acls, but i'm sure is not my case :D
Mauro Furini
Frequent Advisor

Re: acl deny & log

For public utility:
with the K_15_02_000 firmware version, the logging of the acl works correctly.
Ten points for me :)
Mauro Furini
Frequent Advisor

Re: acl deny & log

Just to not open another thread, the acl log works, but I ever have the "summarized" lines..like this:

0000:00:36:53.91 ACL mIpAclCtrl:01/03/11 14:11:03 : VLAN ACL 111 seq#999 denied
108 packets
0000:00:36:53.91 ACL mIpAclCtrl:01/03/11 14:11:03 : VLAN ACL 121 seq#999 denied
4 packets
0000:00:36:53.91 ACL mIpAclCtrl:01/03/11 14:11:03 : VLAN ACL 122 seq#999 denied
4 packets
0000:00:41:55.73 ACL mIpAclCtrl:01/03/11 14:16:05 : VLAN ACL 101 seq#999 denied
84 packets
0000:00:41:55.73 ACL mIpAclCtrl:01/03/11 14:16:05 : VLAN ACL 111 seq#999 denied
48 packets
0000:00:41:55.73 ACL mIpAclCtrl:01/03/11 14:16:05 : VLAN ACL 122 seq#999 denied
4 packets
0000:00:46:59.51 ACL mIpAclCtrl:01/03/11 14:21:09 : VLAN ACL 101 seq#999 denied
96 packets
0000:00:46:59.51 ACL mIpAclCtrl:01/03/11 14:21:09 : VLAN ACL 111 seq#999 denied

Anyone knows how can I see the detailed traffic with source/destination ip?
Antonio Milanese
Trusted Contributor

Re: acl deny & log

Hello,

strange try to start over and reconfigure logging from scratch:

logging syslog_ip
logging facility syslog
debug destination logging
debug destination session
debug acl

and lower consolidation timer:

access-list logtimer 30

This SHOULD work at least work for me =)

Regards,

Antonio
Antonio Milanese
Trusted Contributor
Solution

Re: acl deny & log

Ops,

i've read now your post =)

nope this is how "deny acl" logging work on procurve:
there is a wait timer before the switch send log to destination..between intervals every metch is "consolidated" as a hit count per ACL entry.

If you are trying to use logging as (near)realtime source for SEM/SIEM correlation,anomaly detection,ecc you are out of luck sorry.

Regards,

Antonio
Mauro Furini
Frequent Advisor

Re: acl deny & log

Very useful for the troubleshooting!
:-(
Thank's