Figure 9-32. Commands for Applying an ACL with Logging to Figure 9-31
Operating Notes for ACL Logging
■
■
■
The ACL logging feature generates a message only when packets are
explicitly denied as the result of a match, and not when explicitly
permitted or implicitly denied. To help test ACL logging, configure an
ACL with an explicit deny any and log statements at the end of the list,
and apply the ACL to an appropriate interface.
Logging enables you to selectively test specific devices or groups.
However, excessive logging can affect switch performance. For this
reason, ProCurve recommends that you remove the logging option
from ACEs for which you do not have a present need. Also, avoid
configuring logging where it does not serve an immediate purpose.
(Note that ACL logging is not designed to function as an accounting
method.) See also "Apparent Failure To Log All "Deny" Matches" in
the section titled "ACL Problems", found in appendix C, "Trouble
shooting" of the Management and Configuration Guide for your
switch.
When configuring logging, you can reduce excessive use by config
uring the appropriate ACEs to match with specific hosts instead of
entire subnets.
IPv4 Access Control Lists (ACLs)
Enable ACL "Deny" Logging
9-71