Users Guide
When ACL logging is configured, and a frame reaches an ACL-enabled interface and matches the ACL, a log is generated to
indicate that the ACL entry matched the packet.
When you enable ACL log messages, at times, depending on the volume of traffic, it is possible that a large number of logs
might be generated that can impact the system performance and efficiency. To avoid an overload of ACL logs from being
recorded, you can configure the rate-limiting functionality. Specify the interval or frequency at which ACL logs must be
triggered and also the threshold or limit for the maximum number of logs to be generated. If you do not specify the frequency
at which ACL logs must be generated, a default interval of 5 minutes is used. Similarly, if you do not specify the threshold for
ACL logs, a default threshold of 10 is used, where this value refers to the number of packets that are matched against an ACL .
A Layer 2 or Layer 3 ACL contains a set of defined rules that are saved as flow processor (FP) entries. When you enable ACL
logging for a particular ACL rule, a set of specific ACL rules translate to a set of FP entries. You can enable logging separately
for each of these FP entries, which relate to each of the ACL entries configured in an ACL. Dell Networking OS saves a table
that maps each ACL entry that matches the ACL name on the received packet, sequence number of the rule, and the interface
index in the database. When the configured maximum threshold has exceeded, log generation stops. When the interval at
which ACL logs are configured to be recorded expires, a fresh interval timer starts and the packet count for that new interval
commences from zero. If ACL logging was stopped previously because the configured threshold has exceeded, it is reenabled
for this new interval.
The ACL application sends the ACL logging configuration information and other details, such as the action, sequence number,
and the ACL parameters that pertain to that ACL entry. The ACL service collects the ACL log and records the following
attributes per log message.
• For non-IP packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses,
EtherType, and ingress interface are the logged attributes.
• For IP Packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses,
source and destination IP addresses, and the transport layer protocol used are the logged attributes.
• For IP packets that contain the transport layer protocol as Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP), the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source and
destination IP addresses, and the source and destination ports (Layer 4 parameters) are also recorded.
If the packet contains an unidentified EtherType or transport layer protocol, the values for these parameters are saved as
Unknown in the log message. If you also enable the logging of the count of packets in the ACL entry, and if the logging is
deactivated in a specific interval because the threshold has exceeded, the count of packets that exceeded the logging
threshold value during that interval is recorded when the subsequent log record (in the next interval) is generated for that ACL
entry.
Guidelines for Configuring ACL Logging
This functionality is supported on the S4820T platform.
Keep the following points in mind when you configure logging of ACL activities:
• During initialization, the ACL logging application tags the ACL rule indices for which a match condition exists as being in-
use, which ensures that the same rule indices are not reused by ACL logging again.
• The ACL configuration information that the ACL logging application receives from the ACL manager causes the allocation
and clearance of the match rule number. A unique match rule number is created for the combination of each ACL entry,
sequence number, and interface parameters.
• A separate set of match indices is preserved by the ACL logging application for the permit and deny actions. Depending on
the action of an ACL entry, the corresponding match index is allocated from the particular set that is maintained for permit
and deny actions.
• A maximum of 125 ACL entries with permit action can be logged. A maximum of 126 ACL entries with deny action can be
logged.
Access Control Lists (ACLs) 128