Table of Contents
Advertisement
IPv4 Access Control Lists (ACLs)
Enable ACL "Deny" Logging
10-114
Enabling ACL Logging on the Switch
If you are using a Syslog server, use the logging < ip-addr > command to
1.
configure the Syslog server IPv4 address(es). Ensure that the switch can
access any Syslog server(s) you specify.
2.
Use logging facility syslog to enable the logging for Syslog operation.
Use the debug destination command to configure one or more log destina-
3.
tions. (Destination options include logging and session. For more informa-
tion on debug, refer to "Debug and Syslog Messaging Operation" in
appendix C, "Troubleshooting", in the Management and Configuration
Guide for your switch.)
Use debug acl or debug all to configure the debug operation to include ACL
4.
messages.
5.
Configure one or more ACLs with the deny action and the log option.
For example, suppose that you want to configure the following operation:
■
On VLAN 10 configure an extended ACL with an ACL-ID of "NO-
TELNET" and use the RACL in option to deny Telnet traffic entering
the switch from 10.10.10.3 to any routed destination. (Note that this
assignment will not filter Telnet traffic from 10.10.10.3 to destinations
on VLAN 10 itself.)
■
Configure the switch to send an ACL log message to the current
console session and to a Syslog server at 10.10.20.3 on VLAN 20 if the
switch detects a packet match denying a Telnet attempt from
10.10.10.3.
(This example assumes that IPv4 routing is already configured on the switch.)
Switch
Console RS-232 Port
VLAN 20
10.10.20.1
VLAN 10
10.10.10.1
Apply the extended ACL "NO TELNET" as a
RACL here to deny Telnet access to inbound,
routed Telnet traffic from IP address
Figure 10-44. Example of an ACL Log Application
Console
Subnet 20
Subnet 10
Block Telnet access to routed
.
10.10.10.3
destinations from this host.
Syslog Server
10.10.10.3
Hide quick links:
Advertisement
Table of Contents
