S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
33-9
Cisco MDS 9000 Family CLI Configuration Guide
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Chapter 33 Configuring IPv4 and IPv6 Access Control Lists
Reading the IP-ACL Log Dump
Reading the IP-ACL Log Dump
Use the
log-deny
option at the end of a filter condition to log information about packets that match
dropped entries. The log output displays the ACL number, permit or deny status, and port information.
Note
To capture these messages in a logging destination, you must configure severity level 7 for the kernel
and ipacl facilities (see the
“Facility Severity Levels” section on page 53-5
) and severity level 7 for the
logging destination: logfile (see the
“Log Files” section on page 53-6
), monitor (see the
“Monitor
Severity Level” section on page 53-4
) or console (see the
“Console Severity Level” section on
page 53-4
). For example:
switch#
config t
switch(config)#
logging level kernel 7
switch(config)#
logging level ipacl 7
switch(config)#
logging logfile message 7
For the input ACL, the log displays the raw MAC information. The keyword “MAC=” does not refer to
showing an Ethernet MAC frame with MAC address information. It refers to the Layer 2 MAC-layer
information dumped to the log. For the output ACL, the raw Layer 2 information is not logged.
The following example is an input ACL log dump.
Jul 17 20:38:44 excal-2
%KERN-7-SYSTEM_MSG:
%IPACL-7-DENY:IN=vsan1 OUT=
MAC=10:00:00:05:30:00:47:df:10:00:00:05:30:00:8a:1f:aa:aa:03:00:00:00:08:00:45:00:00:54:00
:00:40:00:40:01:0e:86:0b:0b:0b:0c:0b:0b:0b:02:08:00:ff:9c:01:15:05:00:6f:09:17:3f:80:02:01
:00:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24
:25:26:27:28:29:2a:2b SRC=11.11.11.12 DST=11.11.11.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=277 SEQ=1280
The following example is an output ACL log dump.
Jul 17 20:38:44 excal-2
%KERN-7-SYSTEM_MSG:
%IPACL-7-DENY:IN= OUT=vsan1 SRC=11.11.11.2 DST=11.11.11.12 LEN=84 TOS=0x00 PREC=0x00
TTL=255 ID=38095 PROTO=ICMP TYPE=0 CODE=0 ID=277 SEQ=1280
Applying an IP-ACL to an Interface
You can define IP-ACLs without applying them. However, the IP-ACLs will have no effect until they are
applied to an interface on the switch. You can apply IP-ACLs to VSAN interfaces, the management
interface, Gigabit Ethernet interfaces on IPS modules and MPS-14/2 modules, and Ethernet PortChannel
interfaces.
Tip
Apply the IP-ACL on the interface closest to the source of the traffic.
When you are trying to block traffic from source to destination, you can apply an inbound IPv4-ACL to
M0 on Switch 1 instead of an outbound filter to M1 on Switch 3 (see
Figure 33-1
).