Manualshelf

Addendum

ManualsBrandsDell ManualsComputer equipmentPowerEdge M IO Aggregator
41424344454647484950
4
Access Control Lists
This chapter describes the access control list (ACL) enhancements and contains the following sections:
Logging of ACL Processes
Logging of ACL Processes
This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.
To assist in streamlined, robust administration and management of traffic that traverses the device after
being validated by the configured ACLs, you can enable the generation of logs for access control list
(ACL) processes. Although you can configure ACLs with the required permit or deny filters to provide
access to the incoming packet or disallow access to a particular user, it is also necessary to monitor and
examine the traffic that passes through the device. To enable such a mechanism to evaluate network
traffic that is subjected to ACLs, you can configure the logs to be triggered for ACL operations. This
functionality is primarily needed for network supervision and maintenance activities of the handled
subscriber traffic.
If you configure logging of ACL activities, when a frame reaches an interface that is applied with an ACL
and a match occurs against that ACL, that is installed with logging enabled, then whenever a frame that
arrives at an interface hits a specific ACL entry, a log is generated to indicate details about the ACL entry
that matched the packet.
A packet floe through a network path is defined by the source and destination IP addresses, protocols,
and ports. Because the source port might differ for a new link between the same two hosts, instead of the
same flow being used, a new flow might be created.
When you enable the generation of ACL log messages, at times, depending on the volume of traffic, it is
possible that a large number of logs might be generated that can impact the system performance and
efficiency. To avoid a storm of ACL logs from being recorded, you can configure a rate-limiting
functionality to safeguard the system from an avalanche of ACL logs. You can specify the interval or
frequency at which ACL logs must be triggered and also the threshold or the limit for the maximum
number of logs to be generated. If you do not specify the frequency at which ACL logs must be
generated, a default interval of 5 minutes is used. Similarly, if you do not specify the threshold for ACL
logs, a default threshold of 10 is used, where this value refers to the number of packets that are matched
against an ACL .
A Layer 2 or Layer 3 ACL contains a set of defined rules that are saved as flow processor (FP) entries.
When you enable ACL logging for a particular ACL rule, a set of specific ACL rules translate to a set of FP
entries. You can enable logging for each of these FP entries separately, which relates to each of the ACL
entries configured in an ACL. For each ACL entry, the Dell Networking OS saves a table that maps each
ACL entry that matches the received packet with the ACL name, sequence number of the rule, and the
interface index in the database. When the configured maximum threshold is exceeded, generation of logs
is stopped. When the interval at which ACL logs are configured to be recorded expires, the subsequent,
fresh interval timer is started and the packet count for that new interval commences from zero. If ACL
logging was stopped previously because the configured threshold is exceeded, it is reenabled for this
new interval.
Access Control Lists
45