ACL not logging?
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-24-2015 05:58 AM
Have created a Policy file that has a explicit deny at the end. When I apply it traffic is being blocked that I don't wont.
In order to workout whats wrong I have changed the deny to permit, and added a log, mirror-cpu and count.
The count is increasing at a good rate but nothing is logging, but I can't see anything wrong with my configuration - The Vlan 'Accounts' uses subnet 10.10.10.0/24. I believe I could write the deny differently but omitting the source-address field or changing it to 0.0.0.0/0, but it makes no odds as the count is going up so something should be logging?
entry deny {
if {
source-address 10.10.10.0/24;
} then {
permit;
mirror-cpu;
log;
count dey;
}
}
configure log filter DefaultFilter add event kern.infoconfigure access-list Policy_Filename port 1:8 ingress
or
configure access-list Policy_Filename vlan Accounts ingressI have checked logging is on and working and set from the lowest level of 'warning'.
EXOS version 15.3.1.4 patch 1-3.
Switch: X460-48t
Any idea's what I might be doing wrong?
Thanks in advance
In order to workout whats wrong I have changed the deny to permit, and added a log, mirror-cpu and count.
The count is increasing at a good rate but nothing is logging, but I can't see anything wrong with my configuration - The Vlan 'Accounts' uses subnet 10.10.10.0/24. I believe I could write the deny differently but omitting the source-address field or changing it to 0.0.0.0/0, but it makes no odds as the count is going up so something should be logging?
entry deny {
if {
source-address 10.10.10.0/24;
} then {
permit;
mirror-cpu;
log;
count dey;
}
}
configure log filter DefaultFilter add event kern.infoconfigure access-list Policy_Filename port 1:8 ingress
or
configure access-list Policy_Filename vlan Accounts ingressI have checked logging is on and working and set from the lowest level of 'warning'.
EXOS version 15.3.1.4 patch 1-3.
Switch: X460-48t
Any idea's what I might be doing wrong?
Thanks in advance
6 REPLIES 6
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-24-2015 07:43 AM
Thanks for replying and excuse me if I have mis-understood, but I'm still not clear what I have done wrong? From what I can tell I am already doing all you have mentioned in the configuration supplied?
Are you able to give an example or detail exactly what I am missing?
Many thanks.
Are you able to give an example or detail exactly what I am missing?
Many thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-24-2015 07:18 AM
Hi Martin,
Only the packets that are hitting the CPU can be logged with the ACL modifier.
Snippet from the concepts guide under the ACL section.
Packets are logged only when they go to the CPU, so packets in the fastpath are not automaticallylogged. You must use both the mirror-cpu action modifier and the log or log-raw action modifier if you
want to log both slowpath and fastpath packets that match the ACL rule entry. Additionally, Kern.Info
messages (or Kern.Card.Info on SummitStack) are not logged by default. You must configure an EMS
filter to log these messages, for example, configure log filter DefaultFilter add
event kern.info. See the Status Monitoring and Statistics chapter for information about
configuring EMS.
So, if you want to see the packet which is getting denied, please try adding the mirror-cpu action modifier and then check! Hope this helps!
Only the packets that are hitting the CPU can be logged with the ACL modifier.
Snippet from the concepts guide under the ACL section.
Packets are logged only when they go to the CPU, so packets in the fastpath are not automaticallylogged. You must use both the mirror-cpu action modifier and the log or log-raw action modifier if you
want to log both slowpath and fastpath packets that match the ACL rule entry. Additionally, Kern.Info
messages (or Kern.Card.Info on SummitStack) are not logged by default. You must configure an EMS
filter to log these messages, for example, configure log filter DefaultFilter add
event kern.info. See the Status Monitoring and Statistics chapter for information about
configuring EMS.
So, if you want to see the packet which is getting denied, please try adding the mirror-cpu action modifier and then check! Hope this helps!
