Addendum

The ACL application sends the ACL logging configuration information and other details, such as the

action, sequence number, and the ACL parameters that pertains to that ACL entry. The ACL service

collects the ACL log records and records the following attributes per log message.

• For non-IP packets, the ACL name, sequence number, ACL action (permit or deny), source and

destination MAC addresses, EtherType, and ingress interface are the logged attributes.

• For IP Packets, the ACL name, sequence number, ACL action (permit or deny), source and destination

MAC addresses, source and destination IP addresses, the transport layer protocol used are the logged

attributes.

• For IP packets that contain the transport layer protocol as Transmission Control Protocol (TCP) or

User Datagram Protocol (UDP), the ACL name, sequence number, ACL action (permit or deny), source

and destination MAC addresses, source and destination IP addresses, and the source and destination

port (which are Layer 4 parameters) are also recorded.

If the packet contains an unidentified EtherType or transport layer protocol, the values for these

parameters is saved as Unknown in the log message. If you also enable the count of packets for the ACL

entry for which you configured logging, and if the logging is deactivated in a specific interval owing to the

threshold being exceeded, the count of packets that exceeded the logging threshold value during that

interval is logged when the subsequent log record is generated for that ACL entry in a different window

or interval.

Guidelines for Configuring ACL Logging

This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.

Keep the following points in mind when you configure logging of ACL activities:

• During initialization, the ACL logging application tags the ACL rule indices for which a match

condition exists as being in-use, which ensures that the same rule indices are not reused by ACL

logging again.

• The ACL configuration information that the ACL logging application receives from the ACL manager

causes the allocation and clearance of the match rule number. A unique match rule number is

created for the combination of each ACL entry, sequence number, and interface parameters.

• A separate set of match indices is preserved by the ACL logging application for the permit and deny

actions. Depending on the action of an ACL entry, the corresponding match index is allocated from

the particular set that is maintained for permit and dent actions.

• The maximum number of ACL entries with permit action that can be logged is 125. The maximum

number of ACL entries with deny action that can be logged is 126.

• For virtual ACL entries, the same match rule number is reused. Similarly, when an ACL entry is deleted

that was previously enabled for ACL logging, the match rule number used by it is released back to the

pool or set of match indices that is present so that it can be reused for subsequent allocations.

• The ACL logging application saves the allocated match rule number in the ACL entry itself so that it

can be reused when the ACL entry is reprogrammed due to CAM changes.

• The allocated match rule number for an ACL entry is associated with an FP entry and saved in the

system. A timer control starts when an FP entry is added to the system or CPU with the logging

option, and the timer stops when the ACL entry is deleted. The ACL logger module obtains the ACL

name, sequence number, and interface index from the match rule index contained in the packet.

• A maximum of 15 ACL entries or records can be saved in the space that is allocated for ACL logging.

Access Control Lists