topic RE: ACL not logging? in ExtremeSwitching (EXOS/Switch Engine)

ACL not logging?

Anonymous — Mon, 24 Aug 2015 12:58:00 GMT

Have created a Policy file that has a explicit deny at the end. When I apply it traffic is being blocked that I don't wont.

In order to workout whats wrong I have changed the deny to permit, and added a log, mirror-cpu and count.

The count is increasing at a good rate but nothing is logging, but I can't see anything wrong with my configuration - The Vlan 'Accounts' uses subnet 10.10.10.0/24. I believe I could write the deny differently but omitting the source-address field or changing it to 0.0.0.0/0, but it makes no odds as the count is going up so something should be logging?

entry deny {
if {
source-address 10.10.10.0/24;
} then {
permit;
mirror-cpu;
log;
count dey;
}
}

configure log filter DefaultFilter add event kern.infoconfigure access-list Policy_Filename port 1:8 ingress

or

configure access-list Policy_Filename vlan Accounts ingressI have checked logging is on and working and set from the lowest level of 'warning'.

EXOS version 15.3.1.4 patch 1-3.

Switch: X460-48t

Any idea's what I might be doing wrong?

Thanks in advance

RE: ACL not logging?

Prashanth_KG — Mon, 24 Aug 2015 14:18:00 GMT

Hi Martin,

Only the packets that are hitting the CPU can be logged with the ACL modifier.

Snippet from the concepts guide under the ACL section.

Packets are logged only when they go to the CPU, so packets in the fastpath are not automaticallylogged. You must use both the mirror-cpu action modifier and the log or log-raw action modifier if you
want to log both slowpath and fastpath packets that match the ACL rule entry. Additionally, Kern.Info
messages (or Kern.Card.Info on SummitStack) are not logged by default. You must configure an EMS
filter to log these messages, for example, configure log filter DefaultFilter add
event kern.info. See the Status Monitoring and Statistics chapter for information about
configuring EMS.

So, if you want to see the packet which is getting denied, please try adding the mirror-cpu action modifier and then check! Hope this helps!

RE: ACL not logging?

Anonymous — Mon, 24 Aug 2015 14:43:00 GMT

Thanks for replying and excuse me if I have mis-understood, but I'm still not clear what I have done wrong? From what I can tell I am already doing all you have mentioned in the configuration supplied?

Are you able to give an example or detail exactly what I am missing?

Many thanks.

RE: ACL not logging?

Prashanth_KG — Mon, 24 Aug 2015 14:51:00 GMT

Hi Martin,

Thank you for the quick response. I overlooked the mirror-cpu action in your acl. Sorry about that.

Can you collect the following outputs:

show log counters kern occurred.
show configuration ems.

Thanks

RE: ACL not logging?

Anonymous — Mon, 24 Aug 2015 15:02:00 GMT

Ok, worked out the problem after you gave those commands. I noticed the entry for Kern was showing 'N' even though I had added it to the DefaultFilter.

The answer was that it should be kern.card.info, so the inclusion should be

configure log filter DefaultFilter add event kern.card.infoSo problem solved. Thanks very much for you help!

RE: ACL not logging?

Prashanth_KG — Mon, 24 Aug 2015 15:16:00 GMT

Great! Suspected the same. Thanks for verifying and letting us know!!

RE: ACL not logging?

StephenW — Mon, 24 Aug 2015 23:54:00 GMT

Martin,

We had a KCS article, but it wasn't external facing yet so you would have never found it. I pushed it out the the public to help others in the future. Sorry for your troubles.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Capture-received-packets-using-an-A...

Thanks,

Stephen