Administrator Guide
Implementation Information
ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For example, a
route map can be called to filter only specific routes and to add a metric.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a
route does not match any of the route map conditions, the route is not redistributed.
The implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all
traffic matches the route map and the set command applies.
Flow-Based Monitoring
Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface. It is available for
Layer 3 ingress traffic. You can specify the traffic that needs to be monitored using standard or extended access-lists. The flow-based
monitoring mechanism copies packets that matches the ACL rules applied on the port and forwards (mirrors) them to another port. The
source port is the monitored port (MD) and the destination port is the monitoring port (MG).
When a packet arrives at a port that is being monitored, the packet is validated against the configured ACL rules. If the packet matches an
ACL rule, the system examines the corresponding flow processor to perform the action specified for that port. If the mirroring action is set
in the flow processor entry, the destination port details, to which the mirrored information must be sent, are sent to the destination port.
Behavior of Flow-Based Monitoring
You can activate flow-based monitoring for a monitoring session using the flow-based enable command in the Monitor Session
mode. When you enable this flow-based monitoring, traffic with particular flows that are traversing through the interfaces are examined in
accordance with the applied ACLs. By default, flow-based monitoring is not enabled.
There are two ways in which you can enable flow-based monitoring in Dell EMC Networking OS. You can create an ACL and apply that
ACL either to an interface that needs to be monitored or apply it in the monitor session context. If you apply the monitor ACL to an
interface, the Dell EMC Networking OS mirrors the ingress traffic with an implicit deny applied at the end of the ACL. If you apply the ACL
to the monitor section context, the Dell EMC Networking OS mirrors the ingress traffic with an implicit permit applied at the end of the
ACL. This enables the other traffic to flow without being blocked by the ACL.
When you apply an ACL within the monitor session, it is applied to all source interfaces configured in the monitor session.
The Dell EMC Networking OS honors any permit or deny actions of the ACL rules used for flow-based mirroring. Packets that match a
mirror ACL rule is denied or forwarded depending on the rule but the packet is mirrored. However, the user ACL has precedence over the
mirror ACL.
The same source interface can be part of multiple monitor sessions.
Flow-based monitoring is supported for SPAN, RSPAN, and ERSPAN sessions. If there are overlapping rules between ACLs applied on
different monitor sessions, the session with the highest monitor session ID takes precedence.
NOTE:
You can apply only IPv4 ACL rules under monitor session context.
You must specify the monitor option with the permit, deny, or seq command for ACLs that are assigned to the source or the
monitored port (MD) to enable the evaluation and replication of traffic that is traversing to the destination port. Enter the keyword
monitor with the seq, permit, or deny command for the ACL rules to allow or drop IPv4, IPv6, ARP, UDP, EtherType, ICMP, and
TCP packets. The ACL rule describes the traffic that you want to monitor, and the ACL in which you are creating the rule is applied to the
monitored interface. Flow monitoring is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard
and extended MAC ACLs.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]]
[order] [fragments] [log [threshold-in-msgs count]] [monitor]
If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-
based monitoring and port mirroring do not function.
You cannot apply the same ACL to an interface or a monitoring session context simultaneously.
The port mirroring application maintains a database that contains all monitoring sessions (including port monitor sessions). It has
information regarding the sessions that are enabled for flow-based monitoring and those sessions that are not enabled for flow-based
monitoring. It downloads monitoring configuration to the ACL agent whenever the ACL agent is registered with the port mirroring
application or when flow-based monitoring is enabled.
116
Access Control Lists (ACLs)