ServerIron ADX Security Guide
12.0.00
June 10, 2009

Table of Contents Previous Next Print


Access Control List > ACL Logging

ACL Logging
You may want the software to log entries for ACLs in the syslog. This section present the how logging is processed by flow-based and rule-based ACLs.
ACL Logging for Flow-Based ACLs
ACL logging is disabled by default for flow-based ACLs. However, when you configure an ACL entry, you can enable logging for that entry by adding the log parameter to the end of the CLI command for the entry.
When you enable logging for an ACL entry, statistics for packets that match the permit or deny conditions of the ACL entry are logged. For example, if you configure a standard ACL entry to deny all packets from source address 209.157.22.26, statistics for packets that are explicitly denied by the ACL entry are logged in the Brocade device’s Syslog buffer and in SNMP traps sent by the device.
The first time an ACL entry permits or denies a packet, the software immediately generates a Syslog entry and SNMP trap. The software also starts a five-minute timer. The timer keeps track of all packets explicitly denied by the ACL entries. After five minutes, the software generates a single Syslog entry for each ACL entry that has denied a packet. The message indicates the number of packets denied by the ACL entry during the previous five minutes.
If no ACL entries explicitly permit or deny packets during an entire five-minute timer interval, the timer stops. The timer restarts when an ACL entry explicitly permits or denies a packet.
NOTE: The timer for logging packets denied by Layer 2 filters is separate.
The software generates log entries only when packets are explicitly permitted or explicitly denied by ACLs. The software does not generate log entries for implicitly permitted or denied entries. Depending on how many entries have the log option and how often packets match those entries, ACL performance can be affected. Use the log option only when needed.
Configuring the Layer 4 Session Log Timer
You can configure the Layer 4 session log timer, which is used for keeping track of packets explicitly denied by an ACL.
When you enable logging for an ACL entry, statistics for packets that match the permit or deny conditions of the ACL entry are logged in the Brocade device’s Syslog buffer and in SNMP traps sent by the device. The first time an ACL entry permits or denies a packet, the software immediately generates a Syslog entry and SNMP trap. The software also starts the Layer 4 session log timer. The timer keeps track of all packets explicitly denied by the ACL entries. When the timer expires, the software generates a single Syslog entry for each ACL entry that has denied a packet. The message indicates the number of packets denied by the ACL entry from the time that the timer was started. If no ACL entries explicitly permit or deny packets during an entire timer interval, the timer stops. The timer restarts when an ACL entry explicitly permits or denies a packet.
To store information about denied packets during the timer interval, the device makes entries in its Layer 4 session table. If a large number of packets are denied by the ACL during the timer interval, it can consume a large portion of the device’s Layer 4 resources.
For example, to set the timer interval to 2 minutes, enter the following command:
ServerIron(config)# ip access-list logging-age 2
Syntax: ip access-list logging-age <minutes>
You can set the timer to between 1 and 10 minutes. The default is 5 minutes.
ACL Logging for Rule-Based ACLs
Rule-based ACLs do not support the log option. Even when rule-based ACLs are enabled, if an ACL entry has the log option, traffic that matches that ACL is sent to the CPU for processing. Depending on how many entries have the log option and how often packets match those entries, ACL performance can be affected.
If your configuration already contains ACLs that you want to use with rule-based ACLs, but some of the ACLs contain the log option, the software changes the ACL mode to flow-based for the traffic flows that match the ACL. Changing the mode to flow-based enables the device to send the matching flows to the CPU for processing. This is required because the CPU is needed to generate the Syslog message.
You can globally disable ACL logging without the need to remove the log option from each ACL entry. When you globally disable ACL logging, the ACL entries remain unchanged but the log option is ignored and the ACL can use the rule-based ACL mode. This enables you to use the ACLs in the rule-based ACL mode. You also can configure the device to copy traffic that is denied by a rule-based ACL to an interface. This option allows you to monitor the denied traffic without sending the traffic to the CPU.
To globally disable ACL logging, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# ip access-list disable-log-to-cpu
Syntax: [no] ip access-list disable-log-to-cpu
To re-enable ACL logging, enter the following command:
ServerIron(config)# no ip access-list disable-log-to-cpu
Syslog Message for Changed ACL Mode
If the device changes the ACL mode from rule-based to flow-based, the device generates one of the following Syslog notification messages:
Copying Denied Traffic to a Mirror Port for Monitoring
Although rule-based ACLs do not support ACL logging, you nonetheless can monitor the traffic denied by rule-based ACLs. To do so, attach a protocol analyzer to a port and enable the device to redirect traffic denied by ACLs to that port.
To redirect traffic denied by ACLs, enter the following command at the interface configuration level:
ServerIron(config-if-1/1)# ip access-group redirect-deny-to-interf
Syntax: [no] ip access-group redirect-deny-to-interf
Enter the command on the port to which you want the denied traffic to be copied.
NOTE: The software requires that an ACL has already been applied to the interface.
When you enable redirection, the deny action of the ACL entry is still honored. Traffic that matches the ACL is not forwarded.
Displaying ACL Log Entries
The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for packets permitted or denied by ACLs are at the warning level of the Syslog.
When the first Syslog entry for a packet permitted or denied by an ACL is generated, the software starts an ACL timer. After this, the software sends Syslog messages every one to ten minutes, depending on the value of the timer interval. If an ACL entry does not permit or deny any packets during the timer interval, the software does not generate a Syslog entry for that ACL entry. For more information about the timer, see “Configuring the Layer 4 Session Log Timer”.
NOTE: For an ACL entry to be eligible to generate a Syslog entry for permitted or denied packets, logging must be enabled for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging enabled.
To display Syslog entries, enter the following command from any CLI prompt:
In this example, the two-line message at the bottom is the first entry, which the software immediately generates the first time an ACL entry permits or denies a packet. In this case, an entry in ACL 101 denied a packet. The packet was a TCP packet from host 209.157.22.198 and was destined for TCP port 80 (HTTP) on host 198.99.4.69.
When the software places the first entry in the log, the software also starts the five-minute timer for subsequent log entries. Thus, five minutes after the first log entry, the software generates another log entry and SNMP trap for denied packets.
In this example, the software generates the second log entry five minutes later.
The time stamp for the third entry is much later than the time stamps for the first two entries. In this case, no ACLs denied packets for a very long time. In fact, since no ACLs denied packets during the five-minute interval following the second entry, the software stopped the ACL log timer. The software generated the third entry as soon as the ACL denied a packet. The software restarted the five-minute ACL log timer at the same time. As long as at least one ACL entry permits or denies a packet, the timer continues to generate new log entries and SNMP traps every five minutes.
You can also configure the maximum number of ACL-related log entries that can be added to the system log over a one-minute period. For example, to limit the device to 100 ACL-related syslog entries per minute:
ServerIron(config)# max-acl-log-num 100
Syntax: [no] max-acl-log-num <num>
You can specify a number between 0 – 4096. The default is 256. Specifying 0 disables all ACL logging.
Displaying ACL Statistics for Flow-Based ACLs
To display ACL statistics for flow-based ACLs, enter the following command:
ServerIron(config)# show ip acl-traffic

ICMP inbound packets received 400
ICMP inbound packets permitted 200
ICMP inbound packets denied 200
Syntax: show ip acl-traffic
The command lists a separate set of statistics for each of the following IP protocols:
For TCP and UDP, a separate set of statistics is listed for each application port.
Clearing Flow-Based ACL Statistics
To clear the ACL statistics, enter the following command at the Privileged EXEC level of the CLI:
ServerIron(config)# clear ip acl-traffic
Syntax: clear ip acl-traffic

Access Control List > ACL Logging

Table of Contents Previous Next Print
Copyright © 2009 Brocade Communications Systems, Inc.