Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Debug ACL - Switch 5406Rzl2 J9850A

Jump to Best Answer
This thread has been viewed 38 times
  • 1.  Debug ACL - Switch 5406Rzl2 J9850A

    Posted Dec 04, 2020 09:37 AM
    Dear All,
    I have s 5406Rzl2 J9850A Switch where are configurated many ACLs.
    All of them end with a deny log rule for all the "other" traffic not listed in the permit rows above.

    ex. deny ip 10.11.0.0 0.0.255.255 0.0.0.0 255.255.255.255 log

    I read thet in the debug it should give me deatails about the first packet that hit the deny rule and then summarize the next  packets, but in my case i only see the summary.

    What i need, is to get the detail about the source ip the destination ip and the port that hit the deny rule, instead i only get the summary:

    show debug buffer | VLAN_E80
    0015:16:47:23.05 ACL mClistCtrl:12/04/20 06:28:13 : Router ACL VLAN_E80,
    seq#3810 denied 149 packets, direction in

    My debug config is:

    show debug

    Debug Logging

    Source IP Selection: Outgoing Interface
    Origin identifier: Outgoing Interface IP
    Destination:
    Memory buffer

    Time-stamp: System-Uptime

    Enabled debug types:
    event
    acl log

    thanks for any advices


    ------------------------------
    Davide
    ------------------------------


  • 2.  RE: Debug ACL - Switch 5406Rzl2 J9850A

    MVP GURU
    Posted Dec 05, 2020 04:40 AM
    Ciao Davide, supposing you're dealing with a RACL (Routed ACL) "extended" and "in" (thus valid for incoming traffic into your switch's router interface, leaving the VLAN where the ACL is currently applied) try first a more general approach by issuing this command:

    show statistics aclv4 VLAN_E80 vlan <VLAN-id-where-the-VLAN_E80-ACL-is-applied-to> in

    If each ACE (both of deny and permit form) has the "log" option you should see a quite complete summary of how many times an ACE was hit for that particular ACL on that particular VLAN Id and for traffic leaving that VLAN with other VLANs as destinations. That's to start.

    ------------------------------
    Davide Poletto
    ------------------------------



  • 3.  RE: Debug ACL - Switch 5406Rzl2 J9850A

    Posted Dec 14, 2020 07:46 AM
    Hi parnassus,

    Thanks for your help, i've tryed your command, it's work but give me a different information.
    It give me details about how many times the single rule/row of my ACL has been hit.

    ex. ( 363648 ) 3810 deny ip 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255 log

    what i need is why this rule has been hit.

    In Cisco with a simple "show log" i have soure ip destination ip and port that hit the rule, in this way i can debug if the deny is a desired behaviour or not.
    %SEC-6-IPACCESSLOGP: list test denied tcp 192.168.9.202(58682) -> 192.168.10.253(23), 15 packets

    thanks,
    Davide



    ------------------------------
    Davide De Meo
    ------------------------------



  • 4.  RE: Debug ACL - Switch 5406Rzl2 J9850A
    Best Answer

    Posted Dec 15, 2020 04:50 AM
    Hello Davide,

    This is in addition to what Parnassus posted. I believe you can't see those logs with the show log command. To be able to see them you can send them to a syslog server (debug destination syslog) or the terminal session (debug destination session).

    As you mentioned, to will only see the info of the first packet that hits the rule but in a time frame of 5 minutes (that's the default if I'm not mistaken).

    To get more frequent logs configure it with the command access-list logtimer XXX.

    https://techhub.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch10s13.html

    Hope this helps.

    Best regards,

    Aaron

    ------------------------------
    Aaron Fuentes Ohnell
    ------------------------------



  • 5.  RE: Debug ACL - Switch 5406Rzl2 J9850A

    Posted Dec 16, 2020 03:58 AM
    Hello, 
    thanks you both, fefa2k1 answer is ok for me.
    redirecting the logs to a syslog server it's works, 

    thank you

    ------------------------------
    Davide
    ------------------------------



  • 6.  RE: Debug ACL - Switch 5406Rzl2 J9850A

    Posted 13 days ago
    What syslog server are you using to redirect the logs?  I'm sending to ManageEngine and receiving exactly what I see in the ssh session on the switch.  I have the same scenario you ran into and have the same request.  Thanks!