ACL Logging - Not able to generate logs

Created Dec 31, 2017 02:00:36Latest reply Sep 16, 2018 20:23:32 2063 3 0 0
  Rewarded E coins: 0 (problem resolved)
This post was last edited by user_2844477 at 2018-1-1 21:54. Hi all,
I'm trying to log an ACL rule when it is hitted, but I'm not able to do it. 

What I need is: when there is a match on any rule of an ACL, switch need to generate a log like below.

Thi would be the expected output:

ACLE/4/ACLLOG:[STRING]
[tr]Parameter NameParameter Meaning[/tr]
[STRING] Indicates the ACL number, deny/permit rule, interface name, time range, source MAC address, destination MAC address, protocol type, source IP address, source port number in UDP or TCP packets, destination IP address, destination port number in UDP or TCP packets.

rule (advanced ACL view)
logging
Specifies the log recording IP information about packets that match the rule.
NOTE:
  • The logging only takes effect when the traffic-filter command references ACLs. (If the permitparameter is specified, the log does not record the IP information about packets.)
  • The logging only takes effect when the deny is specified and the traffic-policy command references ACLs.


This is my configuration:

acl name ACL-OUT 3998 
rule 10 deny icmp logging 
rule 15 deny tcp destination-port eq www logging 
rule 20 permit ip logging
#
interface GigabitEthernet0/0/25 
port link-type access 
port default vlan 2030 s
stp bpdu-filter enable 
traffic-filter outbound acl name ACL-OUT 
undo lldp enable


I'm running VRP V200R010C00SPC600 on S6720.

I appreciate any help.
  • x
  • convention:

Martian_superman  Moderator   Created Sep 16, 2018 20:23:32 Helpful(0) Helpful(0)

yes, S6720 can log ACL matches only in the inbound direction. It's a platform limitation.

but the ACL logging configuration is ok. you can test it at the inbound direction.
  • x
  • convention:

user_2844477     Created Jan 01, 2018 21:57:30 Helpful(0) Helpful(0)

This post was last edited by user_2844477 at 2018-1-18 09:23. I just found out that if I apply the ACL in the INBOUND direction, log is performed.

Would this be a limitation of Huawei switch? Is it just possible to log ACLs when it is applied in the outbound direction?
  • x
  • convention:

user_2844477     Created Jan 26, 2018 11:15:41 Helpful(0) Helpful(0)

I was told by Huawei TAC that S6720 can log ACL matches only in the inbound direction. It's a platform limitation.
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top