Vacl Logging - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
How to Configure VLAN Access Control Lists
VACL Logging
When you configure VACL logging, syslog messages are generated for denied IP packets under these
circumstances:
• When the first matching packet is received.
• For any matching packets received within the last 5 minutes.
• If the threshold is reached before the 5-minute interval.
Log messages are generated on a per-flow basis. A flow is defined as packets with the same IP addresses and
Layer 4 (UDP or TCP) port numbers. If a flow does not receive any packets in the 5-minute interval, that flow
is removed from the cache. When a syslog message is generated, the timer and packet counter are reset.
VACL logging restrictions:
• Only denied IP packets are logged.
• Packets that require logging on the outbound port ACLs are not logged if they are denied by a VACL.
How to Configure VLAN Access Control Lists
Creating Named MAC Extended ACLs
You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named
MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.
Follow these steps to create a named MAC extended ACL:
SUMMARY STEPS
1. enable
2. configure terminal
3. mac access-list extended name
4. {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination
MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning
| decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump |
msdos | mumps | netbios | vines-echo | vines-ip | xns-idp | 0-65535] [cos cos]
5. end
6. show running-config
7. copy running-config startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1248
destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol
ports). It is also helpful to use don't care bits in the IP address, whenever possible.
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to the
filtering of traffic based on IP addresses.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
