Chapter 35
Configuring IPv4 and IPv6 Access Control Lists
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Reading the IP-ACL Log Dump
Use the log-deny option at the end of a filter condition to log information about packets that match
dropped entries. The log output displays the ACL number, permit or deny status, and port information.
To capture these messages in a logging destination, you must configure severity level 7 for the kernel
Note
and ipacl facilities (see the
logging destination: logfile (see the
Severity Level" section on page
page
switch# config t
switch(config)# logging level kernel 7
switch(config)# logging level ipacl 7
switch(config)# logging logfile message 7
For the input ACL, the log displays the raw MAC information. The keyword "MAC=" does not refer to
showing an Ethernet MAC frame with MAC address information. It refers to the Layer 2 MAC-layer
information dumped to the log. For the output ACL, the raw Layer 2 information is not logged.
The following example is an input ACL log dump:
Jul 17 20:38:44 excal-2
%KERN-7-SYSTEM_MSG:
%IPACL-7-DENY:IN=vsan1 OUT=
MAC=10:00:00:05:30:00:47:df:10:00:00:05:30:00:8a:1f:aa:aa:03:00:00:00:08:00:45:00:00:54:00
:00:40:00:40:01:0e:86:0b:0b:0b:0c:0b:0b:0b:02:08:00:ff:9c:01:15:05:00:6f:09:17:3f:80:02:01
:00:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24
:25:26:27:28:29:2a:2b SRC=11.11.11.12 DST=11.11.11.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=277 SEQ=1280
The following example is an output ACL log dump:
Jul 17 20:38:44 excal-2
%KERN-7-SYSTEM_MSG:
%IPACL-7-DENY:IN= OUT=vsan1 SRC=11.11.11.2 DST=11.11.11.12 LEN=84 TOS=0x00 PREC=0x00
TTL=255 ID=38095 PROTO=ICMP TYPE=0 CODE=0 ID=277 SEQ=1280
Applying an IP-ACL to an Interface
You can define IP-ACLs without applying them. However, the IP-ACLs will have no effect until they are
applied to an interface on the switch. You can apply IP-ACLs to VSAN interfaces, the management
interface, Gigabit Ethernet interfaces on IPS modules and MPS-14/2 modules, and Ethernet PortChannel
interfaces.
Tip
Apply the IP-ACL on the interface closest to the source of the traffic.
When you are trying to block traffic from source to destination, you can apply an inbound IPv4-ACL to
M0 on Switch 1 instead of an outbound filter to M1 on Switch 3 (see
OL-18084-01, Cisco MDS NX-OS Release 4.x
"Facility Severity Levels" section on page
52-4). For example:
"Log Files" section on page
52-4) or console (see the
Cisco MDS 9000 Family CLI Configuration Guide
Reading the IP-ACL Log Dump
52-5) and severity level 7 for the
52-6), monitor (see the
"Console Severity Level" section on
Figure
35-1).
"Monitor
35-9