This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

I cannot see the ACL counter event in the switch log

I cannot see the ACL counter event in the switch log

Go to solution
Dgavin
New Contributor

‎11-07-2023 03:30 AM 

When creating an acl that allows traffic from two Macs and denies connecting another Mac, I do not see an event in the log when the created counter is applied.
The event counter goes up but I don't see information in the log.
The PC generates ARP broadcast traffic and every fifteen minutes in the log filter <Info:Kern.Card.Info> I see the line:

<Info:Kern.Card.Info> Slot-1: 64-byte packet from 1:2 (vlanId=xxxx) matches rule deny-other-mac: 00:xx:xx:xx:xx:xx -> 01:80 :c2:00:00:0e EtherType: 0x88cc

the counter goes up every second, with no event in the log.
What log filter would I have to configure?
sorry for my English. thank you

 
 
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Dgavin
New Contributor
In response to BrandonC

‎11-28-2023 11:50 PM

Thank you very much, in the end, as you indicate, what I did was use "copy-cpu-and-drop" in the acl, also adding the UDP protocol so as not to forward all the traffic once the mac was detected.

Thank you very much again!

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
BrandonC
Extreme Employee

‎11-27-2023 12:46 PM

If you're seeing the Kern.Card.Info logs some of the time, you've got your logging config correct. I suspect the issue may be the fact that packets need to be sent to the switch CPU in order to be logged. ARP traffic makes it there by default (since it is broadcast), but unicast traffic ordinarily will not be lifted to the CPU. If you want to log all traffic denied by this ACL, you will need to add a mirror-cpu action modifier to the ACL entry.

However, be careful with this as it can lead to a lot of traffic being sent to CPU if there is a large amount of traffic hitting the ACL rule in question.

The KB article linked below goes into a bit more detail about the log action in ACLs.
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000079892

 

0 Kudos

Go to solution
Dgavin
New Contributor
In response to BrandonC

‎11-28-2023 11:50 PM

Thank you very much, in the end, as you indicate, what I did was use "copy-cpu-and-drop" in the acl, also adding the UDP protocol so as not to forward all the traffic once the mac was detected.

Thank you very much again!

0 Kudos
GTM-P2G8KFN