Configuring acl packet and flow counters – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 92

Advertising
background image

78

ServerIron ADX Security Guide

53-1002440-03

Enabling strict TCP or UDP mode for flow-based ACLs

2

Syntax: [no] ip strict-acl-udp

This command configures the device to compare all UDP packets against the configured ACLs
before forwarding them.

To disable the strict ACL mode and return to the default ACL behavior, enter the following
command.

ServerIronADX(config)# no ip strict-acl-udp

NOTE

Enter the ip rebind-acl command at the global CONFIG level of the CLI to place the ip strict-acl-udp
or no ip strict-acl-udp command into effect.

Configuring ACL packet and flow counters

You can configure counters for packets and flows that match entries in an ACL. Using the CLI, you
can display the contents of the counters and clear them:

The ACL packet counter feature provides an accurate count of packets matching individual ACL
entries.

The ACL flow counter feature provides an approximate count of flows matching individual ACL
entries. This feature can be used for troubleshooting purposes to provide an indication of flow
activity against an ACL. Each time the Brocade device receives the first packet of a flow
matching an entry in an ACL list, the flow counter for that ACL entry is incremented by one. If a
flow lasts longer than two minutes, the flow counter for the ACL entry is incremented again.

NOTE

The ACL flow counter feature is designed to monitor the general volume of flow activity for an
ACL. It is not intended to be used for accounting purposes.

The ACL flow and packet counters are incremented differently depending on whether packets are
handled by the Management Processor (MP), and whether they are permit or deny flows.

The Management Processor (MP) handles flows as follows.

For flows handled by the Management Processor:

For permit flows, only flows are counted. If a permit flow lasts longer than two minutes, the flow
counter is incremented again.

For deny flows, only packets are counted.

By default the ACL packet and flow counters are disabled. To activate them, enter the following
command.

ServerIronADX(config)# enable-acl-counter

Syntax: [no] enable-acl-counter

Once the ACL packet and flow counters are enabled, you can disable them with the no form of the
enable-acl-counter command. Disabling and then re-enabling the ACL packet and flow counters
resets them to zero.

To display the packet and flow counters for ACL 100.

Advertising
Popular Brands
Popular manuals