Configuring Acl Logging - Dell S4820T Configuration Manual
Hide thumbs
Also See for S4820T:
- Manual (60 pages) ,
- Installation manual (59 pages) ,
- Configuration manual (1178 pages)
Table of Contents
Advertisement
•
A maximum of 125 ACL entries with permit action can be logged. A maximum of 126 ACL entries with
deny action can be logged.
•
For virtual ACL entries, the same match rule number is reused. Similarly, when an ACL entry is deleted
that was previously enabled for ACL logging, the match rule number used by it is released back to the
pool or available set of match indices so that it can be reused for subsequent allocations.
•
If you enabled the count of packets for the ACL entry for which you configured logging, and if the
logging is deactivated in a specific interval owing to the threshold having exceeded, the count of
packets that exceeded the logging threshold value during that interval is logged when the subsequent
log record (in the next interval) is generated for that ACL entry.
•
When you delete an ACL entry, the logging settings associated with it are also removed.
•
ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended
MAC ACLs.
•
For ACL entries applied on port-channel interfaces, one match index for every member interface of
the port-channel interface is assigned. Therefore, the total available match indices of 251 are split (125
match indices for permit action and 126 match indices for the deny action).
•
You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable
logging for ACLs on egress interfaces.
•
The total available match rule indices is 255 with four match indices used by other modules, leaving
251 indices available for ACL logging.
Configuring ACL Logging
This functionality is supported on the S4820T platform.
To configure the maximum number of ACL log messages to be generated and the frequency at which
these messages must be generated, perform the following steps:
NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can
enable the logging capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and
extended MAC ACLs.
1.
Specify the maximum number of ACL logs or the threshold that can be generated by using the
threshold-in-msgs count option with the seq, permit, or deny commands. Upon exceeding the
specified maximum limit, the generation of ACL logs is terminated. You can enter a threshold in the
range of 1-100. By default, 10 ACL logs are generated if you do not specify the threshold explicitly.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[log [threshold-in-msgs count] ]
2.
Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the
range of 1-10 minutes. The default frequency at which ACL logs are generated is 5 minutes. If ACL
logging is stopped because the configured threshold has exceeded, it is re-enabled after the logging
interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs, IPv6 ACLs,
and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to
ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address}
[log [interval minutes]]
150
Access Control Lists (ACLs)
Advertisement
Table of Contents
Troubleshooting
