138
4.3.4. ACL Mirror Function
ACL mirroring provides the ability to mirror traffic that matches a permit rule to a specific physical port or
Port-channel. Mirroring is similar to the redirect function, except that in flow-based mirroring a copy of the
permitted traffic is delivered to the mirror interface while the packet itself is forwarded normally through
the device. You cannot configure a given ACL rule with both mirror and redirect attributes.
Using ACLs to mirror traffic is considered to be flow-based mirroring since the traffic flow is defined by the
ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific
interface is replicated on another interface.
4.3.5. ACL Logging
ACL Logging provides a means for counting the number of matches against an ACL rule. When you configure
ACL Logging, you
augment
the ACL deny rule
specification
with a log
parameter
that enables
hardware
hit
count collection and reporting. The switch uses a fixed five minute logging interval, at which time trap log
entries are written for each ACL logging rule that accumulated a non-zero hit count during that interval. You
cannot configure the logging interval.
4.3.6. Time-based ACLs
The time-based ACL feature allows the switch to dynamically apply an explicit ACL rule within an ACL for a
predefined
time interval by
specifying
a time range on a per-rule basis within an ACL, so that the time
restrictions are imposed on the ACL rule.
With a time-based ACL, you can define when and for how long an individual rule of an ACL is in effect. To
apply a time to an ACL, first you define a specific time interval and then apply it to an individual ACL rule so
that it is
operational
only during the specified time range, for example, during a specified time period or on
specified days of the week.
A time range can be absolute (specific time) or periodic (recurring). If an absolute and periodic time range
entry are defined within the same time range, the periodic timer is active only when the absolute timer is
active.
Note: Adding a conflicting periodic time range to an absolute time range will cause the time range to
become inactive. For example, consider an absolute time range from 8:00 AM Tuesday March 1st
2011 to 10 PM Tuesday March 1st 2011. Adding a periodic entry using the 'weekend' keyword will cause the
time-range to become inactive because Tuesdays are not on the weekend.
A named time range can contain up to 10 configured time ranges. Only one absolute time range can be
configured per time range. During the ACL configuration, you can associate a configured time range with
the ACL to provide additional control over permitting or denying a user access to network resources.
Benefits of using time-based ACLs include:
ï‚·
Providing more control over permitting or denying a user access to resources, such as an
application (identified by an IP address/mask pair and a port number).
To Next Page
Loading...
Need help?
General