Users Guide
Route maps also have an “implicit deny.” Unlike ACLs and prex lists; however, where the packet or trac is dropped, in route maps, if a
route does not match any of the route map conditions, the route is not redistributed.
The implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all trac
matches the route map and the set command applies.
Logging of ACL Processes
This functionality is supported on the platform.
To assist in the administration and management of trac that traverses the device after being validated by the congured ACLs, you can
enable the generation of logs for access control list (ACL) processes. Although you can congure ACLs with the required permit or deny
lters to provide access to the incoming packet or disallow access to a particular user, it is also necessary to monitor and examine the
trac that passes through the device. To evaluate network trac that is subjected to ACLs, congure the logs to be triggered for ACL
operations. This functionality is primarily needed for network supervision and maintenance activities of the handled subscriber trac.
When ACL logging is congured, and a frame reaches an ACL-enabled interface and matches the ACL, a log is generated to indicate that
the ACL entry matched the packet.
When you enable ACL log messages, at times, depending on the volume of trac, it is possible that a large number of logs might be
generated that can impact the system performance and eciency. To avoid an overload of ACL logs from being recorded, you can
congure the rate-limiting functionality. Specify the interval or frequency at which ACL logs must be triggered and also the threshold or
limit for the maximum number of logs to be generated. If you do not specify the frequency at which ACL logs must be generated, a default
interval of 5 minutes is used. Similarly, if you do not specify the threshold for ACL logs, a default threshold of 10 is used, where this value
refers to the number of packets that are matched against an ACL .
A Layer 2 or Layer 3 ACL contains a set of dened rules that are saved as ow processor (FP) entries. When you enable ACL logging for a
particular ACL rule, a set of specic ACL rules translate to a set of FP entries. You can enable logging separately for each of these FP
entries, which relate to each of the ACL entries congured in an ACL. Dell EMC Networking OS saves a table that maps each ACL entry
that matches the ACL name on the received packet, sequence number of the rule, and the interface index in the database. When the
congured maximum threshold has exceeded, log generation stops. When the interval at which ACL logs are congured to be recorded
expires, a fresh interval timer starts and the packet count for that new interval commences from zero. If ACL logging was stopped
previously because the congured threshold has exceeded, it is reenabled for this new interval.
The ACL application sends the ACL logging conguration information and other details, such as the action, sequence number, and the ACL
parameters that pertain to that ACL entry. The ACL service collects the ACL log and records the following attributes per log message.
• For non-IP packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, EtherType,
and ingress interface are the logged attributes.
• For IP Packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source and
destination IP addresses, and the transport layer protocol used are the logged attributes.
• For IP packets that contain the transport layer protocol as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), the
ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source and destination IP
addresses, and the source and destination ports (Layer 4 parameters) are also recorded.
If the packet contains an unidentied EtherType or transport layer protocol, the values for these parameters are saved as Unknown in the
log message. If you also enable the logging of the count of packets in the ACL entry, and if the logging is deactivated in a specic interval
because the threshold has exceeded, the count of packets that exceeded the logging threshold value during that interval is recorded when
the subsequent log record (in the next interval) is generated for that ACL entry.
Access Control Lists (ACLs)
139