Flow-Based Monitoring; Behavior Of Flow-Based Monitoring - Dell S3048-ON Configuration Manual

CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [threshold-
in-msgs count] ]
2 Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes. The
default frequency at which ACL logs are generated is 5 minutes. If ACL logging is stopped because the configured threshold has
exceeded, it is re-enabled after the logging interval period elapses. ACL logging is supported for standard and extended IPv4 ACLs,
IPv6 ACLs, and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to ingress interfaces; you
cannot enable logging for ACLs that are associated with egress interfaces.
CONFIG-STD-NACL mode
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [interval
minutes]]

Flow-Based Monitoring

Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface. It is available for
Layer 3 ingress and known unicast egress traffic. You can specify the traffic that needs to be monitored using standard or extended
access-lists. The flow-based monitoring mechanism copies packets that matches the ACL rules applied on the port and forwards (mirrors)
them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG).
When a packet arrives at a port that is being monitored, the packet is validated against the configured ACL rules. If the packet matches an
ACL rule, the system examines the corresponding flow processor to perform the action specified for that port. If the mirroring action is set
in the flow processor entry, the destination port details, to which the mirrored information must be sent, are sent to the destination port.

Behavior of Flow-Based Monitoring

You can activate flow-based monitoring for a monitoring session using the flow-based enable command in the Monitor Session mode.
When you enable this flow-based monitoring, traffic with particular flows that are traversing through the interfaces are examined in
accordance with the applied ACLs. By default, flow-based monitoring is not enabled.
There are two ways in which you can enable flow-based monitoring in Dell Networking OS. You can create an ACL and apply that ACL
either to an interface that needs to be monitored or apply it in the monitor session context. If you apply the monitor ACL to an interface,
the Dell Networking OS mirrors the ingress traffic with an implicit deny applied at the end of the ACL. If you apply the ACL to the monitor
section context, the Dell Networking OS mirrors the ingress and known unicast egress traffic with an implicit permit applied at the end of
the ACL. This enables the other traffic to flow without being blocked by the ACL.
When you apply an ACL within the monitor session, it is applied to all source interfaces configured in the monitor session.
The Dell Networking OS honors any permit or deny actions of the ACL rules used for flow-based mirroring. Packets that match a mirror
ACL rule is denied or forwarded depending on the rule but the packet is mirrored. However, the user ACL has precedence over the mirror
ACL.
The same source interface can be part of multiple monitor sessions.
Flow-based monitoring is supported for SPAN, RSPAN, and ERSPAN sessions. If there are overlapping rules between ACLs applied on
different monitor sessions, the session with the highest monitor session ID takes precedence.
NOTE: You can apply only IPv4 ACL rules under monitor session context.
You must specify the monitor option with the permit, deny, or seq command for ACLs that are assigned to the source or the
monitored port (MD) to enable the evaluation and replication of traffic that is traversing to the destination port. Enter the keyword
monitor with the seq, permit, or deny command for the ACL rules to allow or drop IPv4, IPv6, ARP, UDP, EtherType, ICMP, and TCP
packets. The ACL rule describes the traffic that you want to monitor, and the ACL in which you are creating the rule is applied to the
134 Access Control Lists (ACLs)