Nexus 7000 and 7700 Series Switches Optimized ACL Logging Configuration Example

Similar documents
Configuring ACL Logging

Configuring System Message Logging

Configuring Logging for Access Lists

Configuring Session Manager

Configuring sflow. Information About sflow. sflow Agent. This chapter contains the following sections:

Configuring Rate Limits

Configuring Logging for Access Lists

Configuring Policy-Based Routing

Configuring WCCPv2. Information About WCCPv2. Send document comments to CHAPTER

Configuring Online Diagnostics

Configuring the Catena Solution

Configuring a MAC ACL

Connecting to the Management Network and Securing Access

Port ACLs (PACLs) Prerequisites for PACls CHAPTER

Configuring Local SPAN and ERSPAN

Implementing the ERSPAN Analytics Feature on Cisco Nexus 6000 Series and 5600 Platform Switches

Configuring Traffic Storm Control

Configuring IP Tunnels

Configuring Online Diagnostics

Configuring Static and Dynamic NAT Translation

Configuring Static and Dynamic NAT Translation

Configuring sflow. About sflow. sflow Agent

Configuring NTP. Information About NTP. Information About the NTP Server. This chapter contains the following sections:

Configuring Policy-Based Routing

Configuring Layer 3 Virtualization

Configuring ECMP for Host Routes

Configuring NTP. Information About NTP. This chapter contains the following sections:

This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

This chapter describes how to configure the Network Time Protocol (NTP) on Cisco NX-OS devices. This chapter includes the following sections:

Configuring NTP. Information About NTP. Information About the NTP Server. This chapter contains the following sections:

Configuring an IP ACL

Configuring NTP. Information About NTP. Information About the NTP Server. This chapter contains the following sections:

Configuring Rate Limits

Configuring Traffic Storm Control

Configuring Network Security with ACLs

Managing the Unicast RIB and FIB, on page 5

Managing the Unicast RIB and FIB, page 5

V Commands. virtual ip, page 2 virtual ipv6, page 5 vrf, page 8. Cisco Nexus 7000 Series NX-OS Intelligent Traffic Director Command Reference 1

Nexus 7000 Series Switch Problem with Remote User Authentication via SSH with a TACACS account

Configuring Control Plane Policing

Configuring NTP. Information About NTP. This chapter contains the following sections:

Configuring Q-in-Q VLAN Tunnels

Configuring Tap Aggregation and MPLS Stripping

Configuring TAP Aggregation and MPLS Stripping

Configuring Q-in-Q VLAN Tunnels

Configuring TAP Aggregation and MPLS Stripping

Configuring IP ACLs. About ACLs

Configuring Classification

Implementing Access Lists and Prefix Lists

Configuring Static Routing

Send document comments to

Configuring System Message Logging

Configuring the Embedded Event Manager

PracticeTorrent. Latest study torrent with verified answers will facilitate your actual test

Configuring Port Channels

Python can also be accessed from the Bash shell. The Python interpreter is available in the Cisco NX-OS software.

Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 6.x

Configuring EtherChannels

Configuring NTP. Information About NTP NTP. This chapter describes how to configure the Network Time Protocol (NTP) on Cisco MDS 9000 Series switches.

VLAN Access Control Lists

Configuring EtherChannels

Configuring Mutation Mapping

Using NAT in Overlapping Networks

Configuring Layer 2 Switching

Configuring Port Channels

22 Cisco IOS Commands for the Catalyst 4500 Series Switches interface

Configuring NetFlow. Understanding NetFlow CHAPTER

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Configuring IP SLA UDP Jitter Operations

Using the Management Ethernet Interface

Understand Source MAC Address Field in Spanning-Tree PDUs on Nexus Series Switches

Configuring IGMP Snooping

Information about Network Security with ACLs

Configuring QoS on VLANs

vpc Configuration Synchronization

Using the Management Ethernet Interface

Using the Command-Line Interface

VLAN Access Control Lists

Configuring IPv4. Finding Feature Information. This chapter contains the following sections:

vpc Layer 3 Backup Routing with F1 and Peer Gateway

C Commands. Cisco Nexus 5500 Series NX-OS System Management Command Reference 1

Configuring Rate Limits

Configuring Private VLANs Using NX-OS

Lab Catalyst 2950 and 3550 Series Intra-VLAN Security

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Configuring System Message Logging

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Configuring IP TCP MSS

Cisco Prime Network Analysis Module (Cisco Prime NAM) for Nexus 1110 Installation and Configuration Guide

Configuring EEE. Finding Feature Information. This chapter describes how to configure Energy Efficient Ethernet (EEE) on Cisco NX-OS devices.

Configuring SPAN. About SPAN. SPAN Sources

Troubleshooting High CPU Utilization Due to the IP Input Process

Configuring Port Channels

Configuring Dynamic ARP Inspection

CCNA Course Access Control Lists

Configuring Priority Flow Control

Lab - Troubleshooting ACL Configuration and Placement Topology

Table of Contents. Cisco NAT Order of Operation

Configuring SPAN. Finding Feature Information. About SPAN. SPAN Sources

Transcription:

Nexus 7000 and 7700 Series Switches Optimized ACL Logging Configuration Example Document ID: 118907 Contributed by Richard Michael, Cisco TAC Engineer. Apr 15, 2015 Contents Introduction Prerequisites Requirements Components Used Background Information Configure Network Diagram Configurations Verify Troubleshoot Configuration Notes Detailed ACL Logging Global OAL Command Descriptions Logging Command Descriptions Guidelines and Limitations Introduction This document describes how to configure Optimized Access Control List (ACL) Logging (OAL) on the Cisco Nexus 7000 and 7700 Series switches. Prerequisites Requirements Cisco recommends that you have knowledge of Nexus configurations with basic ACLs before you attempt the configuration that is described in this document. Components Used The information in this document is based on these hardware and software versions: Cisco Nexus 7000 Series switches Cisco Nexus 7700 Series switches The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information Logging enabled ACLs provide insight into traffic as it traverses the network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. In order to reduce CPU cycles, the Cisco Nexus 7000 Series switch uses OALs. The use of OALs provides hardware support for ACL logging. The OAL permits or drops packets in the hardware and uses an optimized routine in order to send information to the Supervisor so that it can generate the logging messages. For example, when a packet hits an ACL with logging enabled while it is forwarded in the hardware, a copy of the packet is created in the hardware and the packet is punted to the Supervisor for logging in accordance with the time interval that is configured. Configure This section provides information that you can use in order to configure the Nexus switch for the use of OALs. In the example that is described in this section, there is a host at IP address 10.10.10.1 that sends traffic to another host at IP address 172.16.10.10 through a Nexus 7000 Series interface, which has an ACL with logging configured. Network Diagram The connection between the hosts and the Nexus 7000 Series switch occurs as per this topology: Configurations Complete these steps in order to configure the switch for the use of OALs: 1. Configure these global commands in order to enable OAL: logging ip access list cache entries 8000 logging ip access list cache interval 300 logging ip access list cache threshold 0 Here is an example: Nexus 7000# conf t Enter configuration commands, one per line. End with CNTL/Z. Nexus 7000(config)#logging ip access list cache entries 8000 Nexus 7000(config)#logging ip access list cache interval 300 Nexus 7000(config)#logging ip access list cache threshold 0

2. Apply this configuration for logging: logging level acllog <number> acllog match log level <number> logging logfile [name] <number> Here is an example: Nexus 7000(config)# logging level acllog 5 Nexus 7000(config)# acllog match log level 5 Nexus 7000(config)# logging logfile acllog 5 3. Configure the ACL in order to enable logging. The entries must be configured with the log keyword enabled, as shown in this example: Nexus 7000(config)# ip access list test1 Nexus 7000(config acl)# 10 permit ip 10.10.10.1/32 172.16.10.10/32 log Nexus 7000(config acl)# 20 deny ip any any log Nexus 7000(config acl)# Nexus 7000(config acl)#show ip access lists test1 IP access list test1 10 permit ip 10.10.10.1/32 172.16.10.10/32 log 20 deny ip any any log Nexus 7000(config acl)# 4. Apply the ACL that you configured in the previous step to the required interface: Verify Nexus 7000# conf t Enter configuration commands, one per line. End with CNTL/Z. Nexus 7000(config)# int ethernet 4/1 Nexus 7000(config if)# ip access group test1 in Nexus 7000(config if)# ip access group test1 out Nexus 7000(config if)# Nexus 7000(config if)# show run int ethernet 4/1!Command: show running config interface Ethernet4/1!Time: Mon Jun 30 16:30:38 2014 version 6.2(6) interface Ethernet4/1 ip access group test1 in ip access group test1 out ip address 10.10.10.2/24 no shutdown Nexus 7000(config if)# Use the information that is provided in this section in order to verify that your configuration works properly. In the example that is used in this document, the ping is initiated from the host at IP address 10.10.10.1 to the host at IP address 172.16.10.1. Enter the show logging ip access list cache command into the CLI in order to verify the traffic flow: Nexus 7000# show logging ip access list cache Src IP Dst IP S Port D Port Src Intf Protocol Hits 10.10.10.1 172.16.10.10 0 0 Ethernet4/1 (1)ICMP 368 Number of cache entries: 1 Nexus 7000# Nexus 7000# show logging ip access list status Max flow = 8000 Alert interval = 300 Threshold value = 0 Nexus 7000#

You can see the logging every 300 seconds, as this is the default time interval: Nexus 7000# show logging logfile 2014 Jun 29 19:19:01 Nexus 7000 %SYSLOG 1 SYSTEM_MSG : Logging logfile (acllog) cleared by user 2014 Jun 29 19:20:57 Nexus 7000 %VSHD 5 VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on console0 2014 Jun 29 19:21:18 Nexus 7000 %ACLLOG 5 ACLLOG_FLOW_INTERVAL: Src IP: 10.1 0.10.1, Dst IP: 172.16.10.10, Src Port: 0, Dst Port: 0, Src Intf: Ethernet4/1, Pro tocol: "ICMP"(1), Hit count = 2589 2014 Jun 29 19:26:18 Nexus 7000 %ACLLOG 5 ACLLOG_FLOW_INTERVAL: Src IP: 10.1 0.10.1, Dst IP: 172.16.10.10, Src Port: 0, Dst Port: 0, Src Intf: Ethernet4/1, Pro tocol: "ICMP"(1), Hit count = 4561 Troubleshoot There is currently no specific troubleshooting information available for this configuration. Configuration Notes This section provides additional information about the configuration that is described in this document. Detailed ACL Logging In Nexus Operating System (NX OS) Releases 6.2(6) and later, detailed ACL logging is available. The feature logs this information: Source and destination IP addresses Source and destination ports Source interface Protocol ACL name ACL action (permit or deny) Applied interface Packet count Enter the logging ip access list detailed command into the CLI in order to enable detailed logging. Here is an example: Nexus 7000(config)# logging ip access list detailed ACL Log detailed Logging feature is enabled. Hit count of existing ACL Flow entry will be reset to zero and will contain Hit Count per ACL type Flow. Nexus 7000(config)# Here is an example logging output after detailed logging is enabled: 2014 Jul 18 02:20:38 Nexus7k 1 oal %ACLLOG 6 ACLLOG_FLOW_INTERVAL: Src IP: 10.10.10.1, Dst IP: 172.16.10.10, Src Port: 0, Dst Port: 0, Src Intf: Ethernet4/5, Protocol: "ICMP"(1), ACL Name: test1, ACE Action: Permit, Appl Intf: Ethernet4/5, Hit count: 69 Global OAL Command Descriptions This section describes the global OAL commands that are used in order to configure the Nexus 7000 Series switch for the use of OALs.

Command Switch(config)# logging ip access list cache {{entries number_of_entries} {interval seconds} {rate limit number_of_packets} {threshold number_of_packets}} Switch(config)# no logging ip access list cache {entries interval rate limit threshold} entries num_entries interval seconds threshold num_packets Description This command sets the OAL global parameters. This command reverts the OAL global parameters to the default settings. These parameters specify the maximum number of log entries that are cached in the software. The range is 0 to 1,048,576. The default value is 8,000 entries. These parameters specify the maximum time interval before an entry is sent to a syslog. The range is 5 to 86,400. The default value is 300 seconds. These parameters specify the number of packet matches (hits) before an entry is sent to a syslog. The range is 0 to 1,000,000. The default value is 0 packets (rate limiting is off), which means that the system log is not triggered by the number of packet matches. Note: The no form of these CLI commands only reverts the parameters to the default settings if they have been changed; it does not remove the configuration, as the Nexus 7000 Series switch only has the option of OAL. Logging Command Descriptions This section describes the logging commands that are used in order to configure the Nexus 7000 Series switch for the use of OALs. Command switch(config)# acllog match log level number Example: switch(config)# acllog match log level 3 Switch(config)# no acllog match log level number Example: switch(config)# no acllog match log level 6 Switch(config)# logging level facility severity level Example: switch(config)# logging level acllog 3 Switch(config)# no logging level [facility severity level] Example: switch(config)# no logging level acllog 3 Switch(config)# logging logfile logfile name severity level [size bytes] Example: switch(config)# logging logfile acllog 3 Description This command specifies the logging level that must be matched before entries are logged in the ACL log (acllog). The range is 0 to 7. The default is value is 6. This command reverts the logging level to the default setting (6). This command enables logging messages from the specified facility that have the specified severity level or higher. In the example that is used in this document, the acllog level is set to 3, whereas the default setting is 2. This command resets the logging severity level for the specified facility to its default level. If you do not specify a facility and severity level, the device resets all facilities to their default levels. In the example that is used in this document, the acllog is reverted to the default (2). This command configures the name of the log file that is used in order to store the system messages and the minimum severity level before logging occurs. You can optionally specify a maximum file size. The default severity level is 5, and the default file size is 10,485,760. This command disables logging to the log file.

Switch(config)# no logging logfile [logfile name severity level [size bytes]] Example: switch(config)# no logging logfile acllog 3 Note: In order for the log messages to be entered in the logs, the logging level for the ACL log facility (acllog) and the logging severity level for the logfile must be greater than or equal to the ACL log match log level setting. Guidelines and Limitations Here are some important guidelines and limitations that you should consider before you apply the configuration that is described in this document: The Nexus 7000 and 7700 Series switches support only OAL. ACL logging does not work with the ACL Capture feature. The log option in egress ACLs is not supported for multicast packets. Detailed logging support is not available for IPv6 packets. The logging level for the acllog facility and the logging logfile severity must be configured such that they are greater than or equal to the acllog match log level setting. Do not use the hardware access list capture command while OAL is used. When this command is used alongside OAL, and you enable ACL capture, a warning message appears in order to inform you that ACL logging is being disabled for all Virtual Device Contexts (VDCs). When you disable ACL capture, ACL logging is enabled. In order for this process to work properly, disable with the use of the no hardware access list capture command. Updated: Apr 15, 2015 Document ID: 118907

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback