Procedure for DNS Server Local Service Logging using Logrotate & Automate the Logging using Cron & Anacron Utilities.

1. Lets take a example.

   To start the logging in DNS using Local Service,
    We have to create a channel like query channel that sends the logs to
    local0 system service & we have put these logging statements in named.conf file.
  
          logging {
          channel queries_channel {
          syslog local0;
          severity dynamic;
          print-time yes;
          print-severity yes;
          };
          category queries { queries_channel; };
          };

2. Now, we edit rsyslog.conf file where local0 service listen all the query logs
     sends by DNS & save locally on the file.

        /var/log/query.log

    For this, the statements in /etc/rsyslog.conf are as follows:
    
          local0.*                         /var/log/query.log
   
    Then restart the rsyslog service as

        # service rsyslog restart

3. Now, we rotate this log file using logrotate utility.

    Our requirements for log rotation are as follows:

    a. We need to rotate the log on Daily basis.

    b. We need the Max File Size is of 100 MB only & thereafter again create the
          new 100 MB file with next set of logs.

    c. While rotating the logs on daily basis, copy the present date logs to                   another file & start the main log file (/var/log/query.log) with zero data.

    d. Rotate the Logs for 30 days.

    e. Take the Backup of Logs in the Directory like /var/log/rsyslog/

    f.  If the file size exceed more than 100M then the next file is start with
          .1 & therefore .2, .3, .4 in this way.

    g. Save the 30 days log files as compressed files.
    
     So, to achieve this, we use logrotate utility.

    So, move to /etc/logrotate.d/ folder.

       # cd /etc/logrotate.d/

    Create a new file as rsyslog

        # vi rsyslog

    & Put the below code in this file to achieve our log rotation requirements.

       /var/log/queries222.log {
          daily
          maxsize=100M
          copytruncate
          rotate 30
          olddir /var/log/rsyslog
          start 1
          missingok
          compress
          }

    To make the Log Rotation effective at this moment, run the command as:

        # logrotate -f /etc/logrotate.conf

    which start the rotation for this time.

4. The Logrotate is work combination-ally with cron or anacron to make it
     automatically on daily or weekly or monthly basis.

    So, to achieve this we need to modify the /etc/anacrontab file.

    Open the file & do the following changes on it.

        # /etc/anacrontab

   # See anacron(8) and anacrontab(5) for details.

       SHELL=/bin/sh
         PATH=/sbin:/bin:/usr/sbin:/usr/bin
         MAILTO=root

   # The maximal random delay added to the base delay of the jobs

       RANDOM_DELAY=0

   # The jobs will be started during the following hours only

START_HOURS_RANGE=1-23

   # Period in days   delay in minutes   job-identifier   command

    1                 0                       cron.daily     nice run-parts /etc/cron.daily
     7                      25                           cron.weekly     nice run-parts /etc/cron.weekly
     @monthly        45                           cron.monthly   nice run-parts /etc/cron.monthly

  At last restart the crond service as:

       # service crond restart
          # chkconfig crond on

  The Procedure for Log rotation is completed.

  Thanks
  Saurabh Srivastava

L2 and L3 ACL's on WLC

This Document will help you to understand and configure the Access Control Lists

(Layer2 and Layer3) on Cisco Wireless Controller.

Access Control List - As the name suggests, it is a way of controlling the access/permission of the user (or service) as per our requirement.

An ACL is a list of access control entries (ACE). Each ACE in an ACL identified a trustee and specified the access rights allowed, denied or audited for that trustee.

An access list is list of conditions that categorise packets, and are really helpful when you need to exercise control over network traffic.

For example, you can set them to make very specific decisions about regulating traffic patterns so that they’ll only allow certain hosts to access web resources on the Internet while restricting others. As for instance, if a server has an ACL that contains (Sam: read, write (full access); Mike: read), this would give Sam permission to read and write the file and Mike to only read it.

Layer 3 Access Control List - It is a security feature that allows packet filtering based on IP addresses. We can configure the L3 ACL on WLC as follows:

Go to Security>Access control lists>Access Control lists.

Check the Enable Counter box to get the number of hits on all configured ACL's.

To Create the new ACL,

Go to –New> “Access Control list name” and ACL Type-IPv4 or IPv6.

IPv6 ACL is configured in the same way as IPv4.

Fig-1

After creating the ACL by providing the name, rules need to be added.

In Cisco controller, 64 ACL’s can be defined, each with up to 64 rules (or filters).

To add the new rule, sequence number, source, destination, protocol, DSCP, Direction and action needs to be provided.

i.               Sequence - It can be any number between 1-64.

ii.              Source - It can be any specific IP segment or any.

iii.            Destination - It can be any specific IP segment or any.

iv.            Protocol - It can be TCP, UDP, IP, OSPF etc.

v.              DSCP - It will tell the QOS property.

vi.            Direction - Direction of the ACL in respect of WLC. If the traffic is coming from wireless clients to WLC then it is called Inbound and if the traffic is going from WLC to wireless clients, then it is called Outbound.

vii.           Action - Action is the actual result of the Sequence match that is when the sequence is matched then either it can be Deny or Permit.

Note: If the value of Source and destinations are ‘Any’ then the direction can be incoming or outgoing; But If either of the value of source or destination is not Any, then direction of the filter must be given, and an inverse statement in the opposite direction must be created (With destination becomes source and vice-versa).

Fig-2

After creating of ACL, it can be put on Interfaces as shown in Fig-2.

                                  

Note: - ACL on the interface can be override under WLANs>WLAN>Advanced>Override interface ACL.

Layer 2 Access Control List - Layer 2 protocols can be permitted or denied using L2 ACL.

The Maximum ACE (Access Control Entries) per L2 ACL is 16; i.e., one L2 ACL can contain up to 16 Access Control Entries.

Below is the list of some L2 Protocols available in ACL configuration in controller: -

i.               ARP (Address Resolution Protocol)

ii.              WOL (Wake-On-LAN)

iii.            LLDP (Link Layer Discovery Protocol)

iv.            CDP (Cisco Proprietary)

v.              IPv6 (Internet Protocol Version 6)

To create the L2 ACL –

Go to Security>Layer 2 ACL's>Click New> “Access Control List Name”

Fig-3

After ACL creation, ACEs/Rules can be added.

Fig-4

L2 protocols which are present in Wireless controller, can be denied or permitted.

Custom protocols can also be added.

Fig-5

Suppose, CDP (Custom) protocol needs to be permitted or denied then Ether Type (in the drop down list) needs to be mentioned as Custom and then provide the Ether Type and Ether Mask field for the protocol (like CDP Ether type is 2000 in Hexadecimal format).

Fig-6

After creation of L2 ACL it needs to applied to the WLAN.

Fig-7

Reference: -

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81733-contr-acls-rle.html

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872%28v=vs.85%29.aspx

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_0110101.html