Wired Intelligent Edge

 View Only
Expand all | Collapse all

ACL deny logging on a 5406zl

This thread has been viewed 0 times
  • 1.  ACL deny logging on a 5406zl

    Posted Jan 24, 2013 06:54 AM

    We've set up a Procurve 5406zl with recent firmware (OS: K.15.08.0013, BootROM: K.15.28) and are playing with acl logging.

     

    Our logging setup is as follows:

     

     

    Debug Logging
    Source IP Selection: 192.168.0.254
    Destination: 
    Logging --
    192.168.1.43 loghost
    Protocol = UDP
    Port = 514
    Facility = syslog
    Severity = debug
    System Module = all-pass
    Priority Desc =
    Enabled debug types:
    event
    acl log 

     

    This seems to log properly to our syslog server.

     

    We have several ACLs, each of which has more than one deny ACEs with 'log' set.  When these are matched, we see the following in our logs:

     

    Jan 24 11:46:51 192.168.0.254 ACL: ACL mClistCtrl:01/24/13 11:46:51 : Router ACL external-input seq#25 denied 1748 packets 
    Jan 24 11:46:51 192.168.0.254 ACL: ACL mClistCtrl:01/24/13 11:46:51 : Router ACL external-output seq#18 denied 2 packets 

     These come in around every 5 minutes as a 'summary' - but we'd like to get more info on these matches.

     

    We can obviously look at the ACE from the seq# number to see which rule matched, but we'd like to get more information on what the packet was that triggered the match (source/target address, port etc). 

     

    Are we missing something in our setup that's meaning we're not seeing this information?  Or is this just how these devices log?  Is there any way we can improve on the level of information logged?

     

    Thanks!



  • 2.  RE: ACL deny logging on a 5406zl

    Posted Jan 26, 2013 08:40 AM

    Hi,

     

    Provision is quite limited on the acl debugging, this is because it is a hardware process on the ASIC and any logging/debugging must pass the CPU SW of the switch, which is easily overloaded. (hence the 5 minute summaries to protect the CPU).

     

    Not sure if you would get more output, but you can try:

    debug destination logging

    debug acl

     

    Otherwise, I would simply activate a port mirror and use the good old wireshark.

     

    Best regards,Peter