Administrator Guide

Layer 2 Switching Commands 263

classifier rule. The ACL logging feature allows these hardware hit counts to be

collected on a per-rule basis and reported periodically to the network

administrator using the system logging facility and an SNMP trap.

The Dell Networking ACL permit/deny rule specification supports a log

parameter that enables hardware hit count collection and reporting.

Depending on platform capabilities, logging can be specified for deny rules,

permit rules, or both. A five minute logging interval is used, at which time

trap log entries are written for each ACL logging rule that accumulated a

nonzero hit count during that interval. The logging interval is not user

configurable.

How to Build ACLs

This section describes how to build ACLs that are less likely to exhibit false

matches.

Administrators are cautioned to specify ACL access-list, permit and deny rule

criteria as fully as is possible in order to avoid false matches. As an example,

rules that specify a TCP or UDP port value should also specify the TCP or

UDP protocol and the IPv4 or IPv6 Ether type. Rules that specify an IP

protocol should also specify the Ether type value for the frame. In general, any

rule that specifies matching on an upper layer protocol field should also

include matching constraints for each of the lower layer protocols. For

example, a rule to match packets directed to the well-known UDP port

number 22 (SSH) should also include matching constraints on the IP

protocol field (protocol = 0x11 or UDP) and the Ether type field (Ether type

= 0x0800 or IPv4). In Table 3-1 is a list of commonly used Ether types and, in

Table 3-2 commonly used IP protocol numbers.

2CSNXXX_SWUM204.book Page 263 Monday, January 25, 2016 1:25 PM