Users Guide
• If you enabled the count of packets for the ACL entry for which you congured logging, and if the logging is deactivated in a
specic interval owing to the threshold having exceeded, the count of packets that exceeded the logging threshold value during
that interval is logged when the subsequent log record (in the next interval) is generated for that ACL entry.
• When you delete an ACL entry, the logging settings associated with it are also removed.
• ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs.
• For ACL entries applied on port-channel interfaces, one match index for every member interface of the port-channel interface is
assigned. Therefore, the total available match indices of 251 are split (125 match indices for permit action and 126 match indices
for the deny action).
• You can congure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs on egress
interfaces.
• The total available match rule indices is 255 with four match indices used by other modules, leaving 251 indices available for ACL
logging.
Conguring ACL Logging
This functionality is supported on the S4810 platform.
To congure the maximum number of ACL log messages to be generated and the frequency at which these messages must be
generated, perform the following steps:
NOTE: This example describes the conguration of ACL logging for standard IP access lists. You can enable the logging
capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs.
1. Specify the maximum number of ACL logs or the threshold that can be generated by using the threshold-in-msgs
count option with the seq, permit, or deny commands. Upon exceeding the specied maximum limit, the generation of ACL
logs is terminated. You can enter a threshold in the range of 1-100. By default, 10 ACL logs are generated if you do not specify
the threshold explicitly.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log
[threshold-in-msgs count] ]
2. Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes. The
default frequency at which ACL logs are generated is 5 minutes. If ACL logging is stopped because the congured threshold has
exceeded, it is re-enabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4
ACLs, IPv6 ACLs, and standard and extended MAC ACLs. Congure ACL logging only on ACLs that are applied to ingress
interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log
[interval minutes]]
Flow-Based Monitoring Support for ACLs
Flow-based monitoring is supported on the S4810 platform.
Flow-based monitoring conserves bandwidth by monitoring only the specied trac instead of all trac on the interface. It is
available for Layer 2 and Layer 3 ingress trac. You can specify trac using standard or extended access-lists. This mechanism
copies incoming packets that matches the ACL rules applied on the ingress port and forwards (mirrors) them to another port. The
source port is the monitored port (MD) and the destination port is the monitoring port (MG).
The port mirroring application maintains and performs all the monitoring operations on the chassis. ACL information is sent to the
ACL manager, which in turn noties the ACL agent to add entries in the CAM area. Duplicate entries in the ACL are not saved.
When a packet arrives at a port that is being monitored, the packet is validated against the congured ACL rules. If the packet
matches an ACL rule, the system examines the corresponding ow processor to perform the action specied for that port. If the
mirroring action is set in the ow processor entry, the destination port details, to which the mirrored information must be sent, are
sent to the destination port.
140
Access Control Lists (ACLs)