548 BigIron RX Series Configuration Guide53-1001986-01Modifying ACLs21NOTELogging is not currently supported on management interfaces.Enabling the new logging methodThere are no new CLI commands to enable this new processing method; it takes effectautomatically if the following items have been configured:• Syslog logging is enabled.BigIron RX(config)#logging on• Add the log option to an ACL statement as in the following example.BigIron RX(config)#access-list 400 deny any any log-enabledorBigIron RX(config)#ip access-list standard helloBigIron RX(config-std-nacl)#deny any log• Enable the ip access-group enable-deny-logging command on an interface. If this command isnot enabled, packets denied by ACLs are not logged.BigIron RX(config)#interface ethernet 5/1BigIron RX(config-if-e1000-5/1)#ip access-group enable-deny-loggingSyntax: ip access-group enable-deny-loggingSpecifying the wait timeYou can specify how long the system waits before it sends a message in the Syslog by entering acommand such as the following.BigIron RX(config)# ip access-list logging-age 2Syntax: ip access-list logging-age Enter 1 – 10 minutes. The default is 5 minutes.Modifying ACLsWhen you configure any ACL, the software places the ACL entries in the ACL in the order you enterthem. For example, if you enter the following entries in the order shown below, the software alwaysapplies the entries to traffic in the same order.BigIron RX(config)#access-list 1 deny 209.157.22.0/24BigIron RX(config)#access-list 1 permit 209.157.22.26Thus, if a packet matches the first entry in this ACL and is therefore denied, the software does notcompare the packet to the remaining ACL entries. In this example, packets from host209.157.22.26 will always be dropped, even though packets from this host match the secondentry.