Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

121

122

123

124

125

126

127

128

129

130

Configuring ACL Logging

This functionality is supported on the platform.

To configure the maximum number of ACL log messages to be generated and the frequency at which these messages must be generated,

perform the following steps:

NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can enable the logging

capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs.

1. Specify the maximum number of ACL logs or the threshold that can be generated by using the threshold-in-msgs count

option with the seq, permit, or deny commands. Upon exceeding the specified maximum limit, the generation of ACL logs is

terminated. You can enter a threshold in the range of 1-100. By default, 10 ACL logs are generated if you do not specify the threshold

explicitly.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [threshold-

in-msgs count] ]

2. Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes. The

default frequency at which ACL logs are generated is 5 minutes. If ACL logging is stopped because the configured threshold has

exceeded, it is re-enabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs,

IPv6 ACLs, and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to ingress interfaces; you

cannot enable logging for ACLs that are associated with egress interfaces.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [interval

minutes]]

Flow-Based Monitoring

Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface. It is available for

Layer 3 ingress traffic. You can specify the traffic that needs to be monitored using standard or extended access-lists. The flow-based

monitoring mechanism copies packets that matches the ACL rules applied on the port and forwards (mirrors) them to another port. The

source port is the monitored port (MD) and the destination port is the monitoring port (MG).

When a packet arrives at a port that is being monitored, the packet is validated against the configured ACL rules. If the packet matches an

ACL rule, the system examines the corresponding flow processor to perform the action specified for that port. If the mirroring action is set

in the flow processor entry, the destination port details, to which the mirrored information must be sent, are sent to the destination port.

Behavior of Flow-Based Monitoring

You can activate flow-based monitoring for a monitoring session using the flow-based enable command in the Monitor Session

mode. When you enable this flow-based monitoring, traffic with particular flows that are traversing through the interfaces are examined in

accordance with the applied ACLs. By default, flow-based monitoring is not enabled.

There are two ways in which you can enable flow-based monitoring in Dell EMC Networking OS. You can create an ACL and apply that

ACL either to an interface that needs to be monitored or apply it in the monitor session context. If you apply the monitor ACL to an

interface, the Dell EMC Networking OS mirrors the ingress traffic with an implicit deny applied at the end of the ACL. If you apply the ACL

to the monitor section context, the Dell EMC Networking OS mirrors the ingress traffic with an implicit permit applied at the end of the

ACL. This enables the other traffic to flow without being blocked by the ACL.

When you apply an ACL within the monitor session, it is applied to all source interfaces configured in the monitor session.

The Dell EMC Networking OS honors any permit or deny actions of the ACL rules used for flow-based mirroring. Packets that match a

mirror ACL rule is denied or forwarded depending on the rule but the packet is mirrored. However, the user ACL has precedence over the

mirror ACL.

The same source interface can be part of multiple monitor sessions.

Flow-based monitoring is supported for SPAN, RSPAN, and ERSPAN sessions. If there are overlapping rules between ACLs applied on

different monitor sessions, the session with the highest monitor session ID takes precedence.

NOTE: You can apply only IPv4 ACL rules under monitor session context.

You must specify the monitor option with the permit, deny, or seq command for ACLs that are assigned to the source or the

monitored port (MD) to enable the evaluation and replication of traffic that is traversing to the destination port. Enter the keyword

monitor with the seq, permit, or deny command for the ACL rules to allow or drop IPv4, IPv6, ARP, UDP, EtherType, ICMP, and

122

Access Control Lists (ACLs)