Administrator Guide

ManualsBrandsDell ManualsComputer equipmentForce10 Z9000

121

122

123

124

125

126

127

128

129

130

packets that exceeded the logging threshold value during that interval is logged when the subsequent

log record (in the next interval) is generated for that ACL entry.

• When you delete an ACL entry, the logging settings associated with it are also removed.

• ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended

MAC ACLs.

• For ACL entries applied on port-channel interfaces, one match index for every member interface of

the port-channel interface is assigned. Therefore, the total available match indices of 251 are split (125

match indices for permit action and 126 match indices for the deny action).

• You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable

logging for ACLs on egress interfaces.

• The total available match rule indices is 255 with four match indices used by other modules, leaving

251 indices available for ACL logging.

Configuring ACL Logging

This functionality is supported on the Z9000 platform.

To configure the maximum number of ACL log messages to be generated and the frequency at which

these messages must be generated, perform the following steps:

NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can

enable the logging capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and

extended MAC ACLs.

1. Specify the maximum number of ACL logs or the threshold that can be generated by using the

threshold-in-msgs count option with the seq, permit, or deny commands. Upon exceeding the

specified maximum limit, the generation of ACL logs is terminated. You can enter a threshold in the

range of 1-100. By default, 10 ACL logs are generated if you do not specify the threshold explicitly.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address}

[log [threshold-in-msgs count] ]

2. Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the

range of 1-10 minutes. The default frequency at which ACL logs are generated is 5 minutes. If ACL

logging is stopped because the configured threshold has exceeded, it is re-enabled after the logging

interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs,

and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to

ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address}

[log [interval minutes]]

Flow-Based Monitoring Support for ACLs

Flow-based monitoring is supported on the Z9000 platform.

Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic

on the interface. It is available for Layer 2 and Layer 3 ingress traffic. You can specify traffic using standard

or extended access-lists. This mechanism copies incoming packets that matches the ACL rules applied

on the ingress port and forwards (mirrors) them to another port. The source port is the monitored port

(MD) and the destination port is the monitoring port (MG).

124

Access Control Lists (ACLs)