HPE Community
Switches, Hubs, and Modems
1752800 Members
5723 Online
108789 Solutions
New Discussion юеВ

Re: Syslog deny ACL on 5406zl ?

 
Laurent L.
Occasional Contributor

тАО05-27-2009 12:18 PM

тАО05-27-2009 12:18 PM

Syslog deny ACL on 5406zl ?

Hello,

We have a 5406zl routing trafic between VLAN, and have applied ACL on particular VLAN to allow only few tcp services to enter this VLAN. So last ACE in ACL is "deny ip any any".

I'd like to record in remote syslog all "denied trafic", and i'm really surprised that 5406zl only permit this in "debug mode", with juste one log consigned every 5 minutes. So my question : Have I missed something ? And if not, how guyz do you do this ? Is mirroring port to a remote linux box my only "not expensive solution" ?

Thanks,
Laurent.
0 Kudos
5 REPLIES 5
Bruce Campbell_3
Valued Contributor

тАО05-29-2009 11:05 AM

тАО05-29-2009 11:05 AM

Re: Syslog deny ACL on 5406zl ?


I think you need to add your own:

deny ip any any log

instead of relying on the implicit
"deny ip any any" which doesn't have the
"log".


Bruce Campbell
Director, Network Services
Information Systems and Technology
MC 1018
(519)888-4567 x38323
University of Waterloo, Waterloo, ON
0 Kudos
Laurent L.
Occasional Contributor

тАО05-31-2009 08:57 AM

тАО05-31-2009 08:57 AM

Re: Syslog deny ACL on 5406zl ?

Of course I had a "log" to the deny ip any any". Anyway, this "log" keyword just works in debug mode (#debug acl) and notify on packet every 5 minutes...
0 Kudos
Kevin Richter_1
Valued Contributor

тАО06-18-2009 04:07 PM

тАО06-18-2009 04:07 PM

Re: Syslog deny ACL on 5406zl ?

The "5 minute summaries" are expected operation. There is a very clear write up on page 10-114 of the Access Security Guide (here is a direct link to Chapter 10 where this section is found: http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-10-ACLs.pdf)

"The first time a packet matches an
ACE with deny and log configured, the message is sent immediately to the
destination and the switch starts a wait-period of approximately five minutes.
... At the end of the collection period, the switch sends a single-line
summary of any additional ├в deny├в matches for that ACE (and any other ├в deny├в
ACEs for which the switch detected a match). If no further log messages are
generated in the wait-period, the switch suspends the timer and resets itself
to send a message as soon as a new ├в deny├в match occurs"
Check the cabling. Next, check the cabling again.
0 Kudos
Matt Hobbs
Honored Contributor

тАО06-19-2009 07:58 AM

тАО06-19-2009 07:58 AM

Re: Syslog deny ACL on 5406zl ?

It is a limitation, not sure of the reason but I suspect it was put in place in order not to overload the CPU of the switch under heavy deny matches. I don't quite see the logic because I could do a permit any any log and it wouldn't complain (although I haven't tried this).

I've also been hoping for this feature for some time now. More and more logging requirements are required these days.
0 Kudos
Matt Hobbs
Honored Contributor

тАО06-19-2009 08:03 AM

тАО06-19-2009 08:03 AM

Re: Syslog deny ACL on 5406zl ?

Actually I wanted 'log' on permit entries. If I could even get the one in 5 minute I'd be happy with that for now.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.