Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048T-ON

111

112

113

114

115

116

117

118

119

120

NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can enable the logging

capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs.

1. Specify the maximum number of ACL logs or the threshold that can be generated by using the threshold-in-msgs count

option with the seq, permit, or deny commands. Upon exceeding the specified maximum limit, the generation of ACL logs is

terminated. You can enter a threshold in the range of 1-100. By default, 10 ACL logs are generated if you do not specify the threshold

explicitly.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [threshold-

in-msgs count] ]

2. Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes. The

default frequency at which ACL logs are generated is 5 minutes. If ACL logging is stopped because the configured threshold has

exceeded, it is re-enabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs,

IPv6 ACLs, and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to ingress interfaces; you

cannot enable logging for ACLs that are associated with egress interfaces.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [interval

minutes]]

Flow-Based Monitoring Support for ACLs

Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface. It is available for

Layer 2 and Layer 3 ingress traffic. You can specify traffic using standard or extended access-lists. This mechanism copies incoming

packets that matches the ACL rules applied on the ingress port and forwards (mirrors) them to another port. The source port is the

monitored port (MD) and the destination port is the monitoring port (MG).

The port mirroring application maintains and performs all the monitoring operations on the chassis. ACL information is sent to the ACL

manager, which in turn notifies the ACL agent to add entries in the CAM area. Duplicate entries in the ACL are not saved.

When a packet arrives at a port that is being monitored, the packet is validated against the configured ACL rules. If the packet matches an

ACL rule, the system examines the corresponding flow processor to perform the action specified for that port. If the mirroring action is set

in the flow processor entry, the destination port details, to which the mirrored information must be sent, are sent to the destination port.

When a stack unit is reset or a stack unit undergoes a failure, the ACL agent registers with the port mirroring application. The port

mirroring utility downloads the monitoring configuration to the ACL agent. The interface manager notifies the port mirroring application

about the removal of an interface when an ACL entry associated with that interface to is deleted.

Behavior of Flow-Based Monitoring

Activate flow-based monitoring for a monitoring session by entering the flow-based enable command in the Monitor Session mode.

When you enable this capability, traffic with particular flows that are traversing through the ingress interfaces are examined, and

appropriate ACLs can be applied in the ingress direction. By default, flow-based monitoring is not enabled.

You must specify the monitor option with the permit, deny, or seq command for ACLs that are assigned to the source or the

monitored port (MD) to enable the evaluation and replication of traffic that is traversing to the destination port. Enter the keyword

monitor with the seq, permit, or deny command for the ACL rules to allow or drop IPv4, IPv6, ARP, UDP, EtherType, ICMP, and

TCP packets. The ACL rule describes the traffic that you want to monitor, and the ACL in which you are creating the rule will be applied to

the monitored interface. Flow monitoring is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and

standard and extended MAC ACLs.

CONFIG-STD-NACL mode

seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]]

[order] [fragments] [log [threshold-in-msgs count]] [monitor]

If the number of monitoring sessions increases, inter-process communication (IPC) bandwidth utilization will be high. The ACL manager

might require a large bandwidth when you assign an ACL, with many entries, to an interface.

The ACL agent module saves monitoring details in its local database and also in the CAM region to monitor packets that match the

specified criterion. The ACL agent maintains data on the source port, the destination port, and the endpoint to which the packet must be

forwarded when a match occurs with the ACL entry.

If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-

based monitoring and port mirroring do not function. Flow-based monitoring is supported only for ingress traffic and not for egress

packets.

114

Access Control Lists (ACLs)