268 ACL Commands
classifier rule. The ACL logging feature allows these hardware hit counts to be
collected on a per-rule basis and reported periodically to the network
administrator using the system logging facility and an SNMP trap.
The PowerConnect ACL permit/deny rule specification supports a log
parameter that enables hardware hit count collection and reporting.
Depending on platform capabilities, logging can be specified for deny rules,
permit rules, or both. A five minute logging interval is used, at which time
trap log entries are written for each ACL logging rule that accumulated a
nonzero hit count during that interval. The logging interval is not user
configurable.
How to Build ACLs
This section describes how to build ACLs that are less likely to exhibit false
matches.
Administrators are cautioned to specify ACL access-list, permit and deny rule
criteria as fully as is possible in order to avoid false matches. This is especially
true in networks with protocols such as FCoE that have newly introduced
Ether type values. As an example, rules that specify a TCP or UDP port value
should also specify the TCP or UDP protocol and the IPv4 or IPv6 Ether type.
Rules that specify an IP protocol should also specify the Ether type value for
the frame. In general, any rule that specifies matching on an upper layer
protocol field should also include matching constraints for each of the lower
layer protocols. For example, a rule to match packets directed to the well-
known UDP port number 22 (SSH) should also include matching constraints
on the IP protocol field (protocol = 0x11 or UDP) and the Ether type field
(Ether type = 0x0800 or IPv4). In Table 5-1 is a lis t of commonly used Ether
types and, in Table5-2 commonly used IP protocol numbers.
2CSPC4.XCT-SWUM2XX1.book Page 268 Monday, October 3, 2011 11:05 AM