Logging Of Acl Processes - Dell Force10 Z9000 Configuration Manual

NOTE: If you configure the continue clause without specifying a module, the next sequential module is processed.
Example of Using the continue Clause in a Route Map
!
route-map test permit 10
match commu comm-list1
set community 1:1 1:2 1:3
set as-path prepend 1 2 3 4 5
continue 30!

Logging of ACL Processes

This functionality is supported on the Z9000 platform.
To assist in the administration and management of traffic that traverses the device after being validated by the configured ACLs, you
can enable the generation of logs for access control list (ACL) processes. Although you can configure ACLs with the required permit
or deny filters to provide access to the incoming packet or disallow access to a particular user, it is also necessary to monitor and
examine the traffic that passes through the device. To evaluate network traffic that is subjected to ACLs, configure the logs to be
triggered for ACL operations. This functionality is primarily needed for network supervision and maintenance activities of the handled
subscriber traffic.
When ACL logging is configured, and a frame reaches an ACL-enabled interface and matches the ACL, a log is generated to indicate
that the ACL entry matched the packet.
When you enable ACL log messages, at times, depending on the volume of traffic, it is possible that a large number of logs might be
generated that can impact the system performance and efficiency. To avoid an overload of ACL logs from being recorded, you can
configure the rate-limiting functionality. Specify the interval or frequency at which ACL logs must be triggered and also the threshold
or limit for the maximum number of logs to be generated. If you do not specify the frequency at which ACL logs must be generated,
a default interval of 5 minutes is used. Similarly, if you do not specify the threshold for ACL logs, a default threshold of 10 is used,
where this value refers to the number of packets that are matched against an ACL .
A Layer 2 or Layer 3 ACL contains a set of defined rules that are saved as flow processor (FP) entries. When you enable ACL logging
for a particular ACL rule, a set of specific ACL rules translate to a set of FP entries. You can enable logging separately for each of
these FP entries, which relate to each of the ACL entries configured in an ACL. Dell Networking OS saves a table that maps each
ACL entry that matches the ACL name on the received packet, sequence number of the rule, and the interface index in the
database. When the configured maximum threshold has exceeded, log generation stops. When the interval at which ACL logs are
configured to be recorded expires, a fresh interval timer starts and the packet count for that new interval commences from zero. If
ACL logging was stopped previously because the configured threshold has exceeded, it is reenabled for this new interval.
The ACL application sends the ACL logging configuration information and other details, such as the action, sequence number, and
the ACL parameters that pertain to that ACL entry. The ACL service collects the ACL log and records the following attributes per log
message.
• For non-IP packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses,
EtherType, and ingress interface are the logged attributes.
• For IP Packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source
and destination IP addresses, and the transport layer protocol used are the logged attributes.
• For IP packets that contain the transport layer protocol as Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP), the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source and
destination IP addresses, and the source and destination ports (Layer 4 parameters) are also recorded.
If the packet contains an unidentified EtherType or transport layer protocol, the values for these parameters are saved as Unknown
in the log message. If you also enable the logging of the count of packets in the ACL entry, and if the logging is deactivated in a
Access Control Lists (ACLs)
109