Cisco WS-C6506 Software Manual page 455

Chapter 15 Configuring Access Control
This example shows that ports 1/1 and 2/1 were cleared:
Console> (enable) show security acl capture-ports
ACL Capture Ports:1/2,2/2
Console> (enable)
Configuring VACL Logging
This feature is available only with Supervisor Engine 2 with PFC2, Supervisor Engine 720 with
Note
PFC3A/PFC3B/PFC3BXL, and Supervisor Engine 32 with PFC3B/PFC3BXL.
You can log the messages about the denied packets for the standard IP access list by entering the log
keyword for the deny VACLs. Any packet that matches the access list causes an informational logging
message about the packet to be sent to the console. The level of messages that is logged to the console
is controlled by the set logging level acl severity command.
The first packet that triggers the access list causes a logging message right away, and the subsequent
packets are collected over 5-minute intervals before they are displayed or logged. The logging message
includes the flow pattern and the number of packets that are received in the past 5 minutes.
By default, the system logging messages are sent to the console. You can configure the switch to send
the system logging messages to a syslog server. For information on configuring system message logging,
see
Configuration Guidelines
This section describes the guidelines for configuring VACL logging:
•
•
To enable VACL logging, perform these steps:
Enter the set logging level acl severity command to set the logging level to 6 (information) or
Step 1
7 (debugging).
Step 2 (Optional) Enter the set security acl log maxflow max_number to allocate a new log table that is based
on the maximum flow pattern number to store the logged packet information. If successful, the new
buffer replaces the old one and all flows in the old table are cleared. If either memory is not enough or
the maximum number is over the limit, an error message is displayed and the command is dropped. The
valid values are from 256 to 2048; the default value is 500.
Note
Step 3 (Optional) Enter the set security acl log ratelimit pps command to set the redirect rate in pps (packets
per second). If the configuration is over the range, the command is discarded and the range is displayed
on the console. The valid values are from 500 to 5000; the default value is 2500. To disable rate limiting,
set the value to 0.
Note
OL-8978-04
Chapter 29, "Configuring System Message Logging."
Log only the deny traffic from the IP VACLs.
You must set the logging level to 6 (information) or 7 (debugging).
If the maximum flow pattern is over the max_num limit, an error message is displayed and the
command is dropped. The messages are not logged for these packets.
If the redirect rate is over the pps range, the command is dropped and the range is displayed on
the console. The messages are not logged for these packets.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring VACLs
15-59