Manualshelf

Addendum

ManualsBrandsDell ManualsComputer equipmentForce10 Z9000
41424344454647484950
A timer control of 30 seconds is present in the ACL agent module, the expiry of which causes the log
records that are collocted until that time are transmitted to the ACL manager for logging. An inter-
process communication (IPC) message is sent to the ACL manager by the ACL agent when a
maximum of 15 records are collected or the 30-second timer period is exceeded.
If you enabled the count of packets for the ACL entry for which you configured logging, and if the
logging is deactivated in a specific interval owing to the threshold being exceeded, the count of
packets that exceeded the logging threshold value during that interval is logged when the subsequent
log record is generated for that ACL entry in a different window or interval.
When you delete an ACL entry, the logging settings associated with it are also removed.
ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended
MAC ACLs.
For ACL entries applied on port-channel interfaces, one match index for every member interface of
the port-channel interface is assigned. Therefore, the total available match indices of 251 are split (125
match indices for permit action and 126 match indices for the deny action).
You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable
logging for ACLs that are associated with egress interfaces.
The total uniquely available match rule indices is 255 with four match indices used by other modules,
leaving 51 indices available for ACL logging.
Configuring ACL Logging
This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.
To configure the maximum number of ACL log messages to be generated and the frequency at which
these messages must be generated, perform the following:
NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can
enable the logging capability for standard and extended IPv4, IPv6, and standard and extended MAC
ACLs.
1. Specify the maximum number of ACL logs or the threshold that can be generated by using the
threshold-in-msgs count option with the seq, permit, or deny commands. Upon exceeding the
specified maximum limit, the generation of ACL logs is terminated. You can enter a threshold in the
range of 1-100. By default, 10 ACL logs are generated if you do not specify the threshold explicitly.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[count [byte]] [order] [fragments] [log [threshold-in-msgs count] ]
2. Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the
range of 1-10 minutes. The default frequency at which ACL logs are generated is 5 minutes. If ACL
logging is stopped because the configured threshold is exceeded, it is reenabled after the logging
interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs,
and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to
ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[count [byte]] [order] [fragments] [log [interval minutes]]
Access Control Lists
47