Wired Intelligent Edge

 View Only
last person joined: 13 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Aruba ACL Debug

This thread has been viewed 24 times
  • 1.  Aruba ACL Debug

    Posted 23 days ago

    hopefully in right area...

    have an ACL on 3810 which is assigned to locked down WiFi Vlan.  Have issue accessing devices on this wifi for support, I'm on 10.10.20.x

    The log server is only getting "Router ACL v200-in, seq#80 denied 2122 packets, direction in"

    I can't seem to see the packet details being blocked - what am I missing ?

    ACL (basic version)

    ip access-list extended "v200-in"
         deny tcp 10.10.10.0 0.0.0.255 10.10.1.0 0.0.0.255 eq 21
         deny tcp 10.10.10.0 0.0.0.255 10.10.1.0 0.0.0.255 eq 22
         deny tcp 10.10.10.0 0.0.0.255 10.10.1.0 0.0.0.255 eq 23
         remark support
         permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
         remark services
         permit ip 10.10.10.0 0.0.0.255 192.168.210.0 0.0.0.255
         remark monitoring
         permit ip 10.10.10.0 0.0.0.255 host 35.233.9.1
         permit ip 10.10.10.0 0.0.0.255 host 35.233.10.135
         permit ip 10.10.10.0 0.0.0.255 host 35.233.15.27
         deny ip 10.10.10.0 0.0.0.255 0.0.0.0 255.255.255.255 log
       exit

    vlan 200
       name "RF-Devices"
       ip address 10.10.10.1 255.255.255.0
       ip helper-address 192.168.210.154
       ip access-group "v200-in" in
       exit

    debug destination logging

    debug acl

    logging severity debug



  • 2.  RE: Aruba ACL Debug

    EMPLOYEE
    Posted 18 days ago

    From what I can tell between your post above and examining the Aruba 3810 / 5400R Access Security Guide for ArubaOS-Switch 16.06, specifically the section ACL Logging Operation, the result that includes only a hit count (and not packet details) may be occurring in cases where an initial log message has previously been generated for the ACL entry. It seems your configuration is appropriate, but perhaps the initial message has cycled out or not been received by the syslog server. It may be worth trying a show log locally on the switch, or perhaps toggling no debug acl / debug acl to force another initial log message to be generated.