Comware

 View Only

  • 1.  Syslog deny ACL on 5406zl ?

    Posted May 27, 2009 03:18 PM
    Hello,

    We have a 5406zl routing trafic between VLAN, and have applied ACL on particular VLAN to allow only few tcp services to enter this VLAN. So last ACE in ACL is "deny ip any any".

    I'd like to record in remote syslog all "denied trafic", and i'm really surprised that 5406zl only permit this in "debug mode", with juste one log consigned every 5 minutes. So my question : Have I missed something ? And if not, how guyz do you do this ? Is mirroring port to a remote linux box my only "not expensive solution" ?

    Thanks,
    Laurent.


  • 2.  RE: Syslog deny ACL on 5406zl ?

    Posted May 29, 2009 02:05 PM

    I think you need to add your own:

    deny ip any any log

    instead of relying on the implicit
    "deny ip any any" which doesn't have the
    "log".




  • 3.  RE: Syslog deny ACL on 5406zl ?

    Posted May 31, 2009 11:58 AM
    Of course I had a "log" to the deny ip any any". Anyway, this "log" keyword just works in debug mode (#debug acl) and notify on packet every 5 minutes...


  • 4.  RE: Syslog deny ACL on 5406zl ?

    Posted Jun 18, 2009 07:08 PM
    The "5 minute summaries" are expected operation. There is a very clear write up on page 10-114 of the Access Security Guide (here is a direct link to Chapter 10 where this section is found: http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-10-ACLs.pdf)

    "The first time a packet matches an
    ACE with deny and log configured, the message is sent immediately to the
    destination and the switch starts a wait-period of approximately five minutes.
    ... At the end of the collection period, the switch sends a single-line
    summary of any additional â denyâ matches for that ACE (and any other â denyâ
    ACEs for which the switch detected a match). If no further log messages are
    generated in the wait-period, the switch suspends the timer and resets itself
    to send a message as soon as a new â denyâ match occurs"


  • 5.  RE: Syslog deny ACL on 5406zl ?

    Posted Jun 19, 2009 10:59 AM
    It is a limitation, not sure of the reason but I suspect it was put in place in order not to overload the CPU of the switch under heavy deny matches. I don't quite see the logic because I could do a permit any any log and it wouldn't complain (although I haven't tried this).

    I've also been hoping for this feature for some time now. More and more logging requirements are required these days.


  • 6.  RE: Syslog deny ACL on 5406zl ?

    Posted Jun 19, 2009 11:03 AM
    Actually I wanted 'log' on permit entries. If I could even get the one in 5 minute I'd be happy with that for now.


Related Content