Traffic; Acl Logging - Foundry Networks Switch and Router Installation And Configuration Manual

Foundry Switch and Router Installation and Configuration Guide
• If you want to secure access in environments with many users, you might want to configure ACLs that consist
of explicit deny entries, then add an entry to permit all access to the end of each ACL. The software permits
packets that are not denied by the deny entries.
NOTE: The software generates log entries only when packets are explicitly denied by ACLs. The software does
not generate log entries for explicitly permitted entries or for entries that are implicitly denied.
NOTE: Do not apply an empty ACL (an ACL ID without any corresponding entries) to an interface. If you
accidentally do this, the software applies the default ACL action, deny all, to the interface and thus denies all

traffic.

Controlling Management Access to the Device
You can use standard ACLs to control Telnet, Web, and SNMP access to a Foundry device. See "Using ACLs to
Restrict Remote Access" on page 3-4.

ACL Logging

ACL logging is disabled by default. However, when you configure an ACL entry, you can enable logging for that
entry by adding the log parameter to the end of the CLI command for the entry.
When you enable logging for an ACL entry, statistics for packets that match the deny conditions of the ACL entry
are logged. For example, if you configure a standard ACL entry to deny all packets from source address
209.157.22.26, statistics for packets that are explicitly denied by the ACL entry are logged in the Foundry device's
Syslog buffer and in SNMP traps sent by the device.
The first time an ACL entry denies a packet, the software immediately generates a Syslog entry and SNMP trap.
The software also starts a five-minute timer. The timer keeps track of all packets explicitly denied by the ACL
entries. After five minutes, the software generates a single Syslog entry for each ACL entry that has denied a
packet. The message indicates the number of packets denied by the ACL entry during the previous five minutes.
If no ACL entries explicitly deny packets during an entire five-minute timer interval, the timer stops. The timer
restarts when an ACL entry explicitly denies a packet.
NOTE: The timer for logging packets denied by Layer 2 filters is separate.
The following sections describe how to configure standard and extended ACLs.
NOTE: The following sections describe how to configure ACLs using the Foundry device's CLI. You also can
create and modify ACLs using a text editor on a file server, then copy them to the device's running-config file. In
fact, this method is a convenient way to reorder individual ACL entries within an ACL. See "Modifying ACLs" on
page 13-20.
Support for up to 4096 Access Control Lists (ACLs)
You can configure up to 4096 Access Control Lists (ACLs) on devices that have enough space to hold a startup-
config file that contains the ACLs.
NOTE: This feature applies only to the NetIron Internet Backbone router and BigIron Layer 3 Switches with
Management IV modules. The PCMCIA flash card on the Management IV module is required to store and load
startup-config files containing the large number of ACLs.
You do not need to configure the device's memory for the increased support.
The feature is supported on all chassis Layer 3 Switches. However, the actual number of ACLs you can configure
and store in the startup-config file depends on the amount of memory available on the device for storing the
startup-config. To store 4096 ACLs in the startup-config file requires at least 250K bytes, which is larger than the
space available on a device's flash memory module.
13 - 4 December 2000