Enable Ipv6 Acl "Deny" Logging; Requirements For Using Ipv6 Acl Logging; Acl Logging Operation - HP 2530 Manual Supplement
Hide thumbs
Also See for 2530:
- Installation and getting started manual (93 pages) ,
- Quick setup manual (9 pages) ,
- Quick setup manual (6 pages)
Table of Contents
Advertisement
6.
If the configuration appears satisfactory, save it to the startup-config file:
HP Switch(config)# write memory
Enable IPv6 ACL "deny" logging
ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match
with an ACE that results in an explicit "deny" action. You can use ACL logging to help:
Test your network to help ensure that your ACL configuration is detecting and denying the
incoming IPv6 traffic you do not want to enter the switch.
Receive notification when the switch denies inbound IPv6 traffic you have designed your ACLs
to reject (deny).
The switch sends ACL messages to syslog and optionally to the current console, Telnet, or SSH
session. You can use logging < > to configure up to six syslog server destinations.
Requirements for using IPv6 ACL logging
The switch configuration must include an ACL:
1.
Assigned to a port, trunk, or static VLAN interface
2.
Containing an ACE configured with the deny action and the log option.
For IPv6 ACL logging to a Syslog server:
◦
The server must be accessible to the switch and identified in the running configuration.
◦
The logging facility must been enabled for Syslog.
◦
Debug must be configured to:
–
–
These requirements are described in more detail under
(page
106).
ACL logging operation
When the switch detects a packet match with an ACE and the ACE includes the deny action and
the optional log parameter, an ACL log message is sent to the designated debug destination. The
first time a packet matches an ACE with deny and log configured, the message is sent immediately
to the destination and the switch starts a wait-period of approximately five minutes. (The exact
duration of the period depends on how the packets are internally routed.) At the end of the collection
period, the switch sends a single-line summary of any additional "deny" matches for that ACE (and
any other "deny" ACEs for which the switch detected a match). If no further log messages are
generated in the wait-period, the switch suspends the timer and resets itself to send a message as
soon as a new "deny" match occurs. The data in the message includes the information in
Example 50 (page
support ACL messages
send debug messages to the desired debug destination
106).
"Enabling ACL logging on the switch"
Enable IPv6 ACL "deny" logging 105
- Quick Links:
- Dhcp Snooping
- Enabling Dhcp Snooping
Hide quick links:
Advertisement
Table of Contents
