API Guide

ManualsBrandsDell ManualsAccess PlatformsEMC Networking MX9116n

1121

App Allocated pools App group Configured rules Used rows Free

rows Max rows

-----------------------------------------------------------------------------------------

--------------

USER_L2_ACL_EGRESS Shared:1 G1 1 2

254 256

USER_IPV4_EGRESS Shared:1 G0 1 2

254 256

USER_IPV6_EGRESS Shared:2 G2 1 2

254 256

Known behavior

● On the S4200-ON platform, the show acl-table-usage detail command output lists several hardware pools as

available (FREE), but you will see an "ACL CAM table full" warning log when the system creates a new service pool. The

system will not be able to create any new service pools. The existing groups, however, can continue to grow up to the

maximum available pool space.

● On the S4200-ON platform, the show acl-table usage detail command output lists all the available hardware pools

under Ingress ACL utilization table and none under the Egress ACL utilization table. The system allocates pool space for

Egress ACL table only when you configure Egress ACLs. You can run the show acl-table-usage detail command

again to view pool space allocated under Egress ACL utilization table as well.

● On S52xx-ON, Z91xx-ON, Z92xx-ON platforms, the number of Configured Rules listed under Service Pools for each of the

features is the number of ACLs multiplied by the number of ports on which they are applied. This number is cumulative. You

can view the Used rows and Free rows that indicate the actual amount of space that is utilized and available in the hardware.

ACL logging

You can configure ACLs to filter traffic, drop or forward packets that match certain conditions. The ACL logging feature allows

you to get additional information about packets that match an access control list entry (ACE) applied on an interface in inbound

direction.

OS10 creates a log message that includes additional information about the packet, when a matching packet hits a log-enabled

ACL entry.

ACL logging helps to administer and manage traffic that traverses your network and is useful for network supervision and

maintenance activities.

High volumes of network traffic can result in large volume of logs, which can negatively impact system performance and

efficiency.

You can specify the threshold after which a log is created and the interval at which the logs must be created.

The threshold defines how often a log message is created after an initial packet match. The default is 10 messages. This value is

configurable and the range is from 1 to 100 messages.

By default, the interval is set to 5 minutes and logs are created every 5 minutes. During this interval, the system continues to

examine the packets against the configured ACL rule and permits or denies traffic, but logging is halted temporarily. This value is

configurable and the range is from 1 to 10 minutes.

For example, if you have configured a threshold value of 20 and an interval of 10 minutes, after an initial packet match, the 20th

packet that matches the ACL entry is logged. The system then waits for the interval period of 10 minutes to elapse, during

which time no logging occurs. Once the interval period elapses, the 20th packet that matches the ACL entry is logged again.

Important notes

The ACL logging feature is:

● Applicable only for IPv4 and IPv6 user ACLs. MAC ACLs are not logged.

● Applicable only for user ACLs applied on interfaces in the inbound direction. Even though ACL logging cannot be enabled for

outbound ACLs, ACL configuration is applied.

If you have enabled ACL logging, downgrade from release 10.4.3.0 to a previous release fails and the corresponding ACL rules

are not applied. Before you downgrade, be sure to disable ACL logging or delete the startup configuration.

Access Control Lists

1127