Access Control
Overview
Cisco 350XG & 550XG Series 10G Stackable Managed Switches
537
25
ACL Logging
This feature enables adding a logging option to ACEs. When the feature is enabled,
any packet that was permitted or denied by the ACE, generates an informational
SYSLOG message related to it.
If ACL logging is enabled, it can be specified per interface by binding the ACL to
an interface. In this case, SYSLOGs are generated for packets that matched the
permit or deny ACEs associated with the interface.
A flow is defined as a stream of packets with identical characteristics, as follows:
•
Layer 2 Packets
—Identical source and destination MAC addresses
•
Layer 3 Packets
—Identical source and destination IP addresses
•
Layer 4 Packets
—Identical source and destination IP and L4 port
For any new flow, the first packet that is trapped from a specific interface causes
the generation of an informational SYSLOG message. Additional packets from the
same flow are trapped to the CPU, but SYSLOG messages for this flow are limited
to one message every 5 minutes. This SYSLOG informs that at least one packet
was trapped in the last 5 minutes.
After handling the trapped packet, the packets are forwarded in case of permit
and discarded in case of deny.
The number of supported flows is as follows:
•
350 Family—150 per unit
•
550 Family—150 per unit in the stack
SYSLOGs
The SYSLOG messages are in Informational severity, and state if the packet
matched a deny rule or a permit rule.
•
For layer 2 packets, the SYSLOG includes the information (if applicable):
source MAC, destination MAC, Ethertype, VLAN-ID, and CoS queue.
•
For layer 3 packets, the SYSLOG includes the information (if applicable):
source IP, destination IP address, protocol, DSCP value, ICMP type, ICMP
code, and IGMP type.
•
For layer 4 packets the SYSLOG includes the information (if applicable):
source port, destination port, and TCP flag.
