this capability, traffic with particular flows that are traversing through the ingress
and egress interfaces are examined and, appropriate ACLs can be applied in both
the ingress and egress direction. Flow-based monitoring conserves bandwidth by
monitoring only specified traffic instead all traffic on the interface. This feature is
particularly useful when looking for malicious traffic. It is available for Layer 2 and
Layer 3 ingress and egress traffic. You may specify traffic using standard or
extended access-lists. This mechanism copies all incoming or outgoing packets on
one port and forwards (mirrors) them to another port. The source port is the
monitored port (MD) and the destination port is the monitoring port (MG).
Related
Commands
permit – configures a filter to forward packets.
permit udp (for IPv6 ACLs)
Configure a filter to pass UDP packets meeting the filter criteria.
Syntax
permit udp {source address mask | any | host ipv6-address}
[operator port [port]] {destination address | any | host ipv6-
address} [operator port [port]] [count [byte]] [log [interval
minutes] [threshold-in-msgs [count]] [monitor]
To remove this filter, you have two choices:
• Use the no seq sequence-number command if you know the filter’s
sequence number.
• Use the no permit udp {source address mask | any | host ipv6-
address} {destination address | any | host ipv6-address}
command.
Parameters
log (OPTIONAL) Enter the keyword log to enable the triggering
of ACL log messages.
threshold-in
msgs count
(OPTIONAL) Enter the threshold-in-msgs keyword
followed by a value to indicate the maximum number of ACL
logs that can be generated, exceeding which the generation
of ACL logs is terminated with the
seq, permit, or deny
commands. The threshold range is from 1 to 100.
interval
minutes
(OPTIONAL) Enter the keyword interval followed by the
time period in minutes at which ACL logs must be generated.
The interval range is from 1 to 10 minutes.
monitor (OPTIONAL) Enter the keyword monitor when the rule is
describing the traffic that you want to monitor and the ACL
in which you are creating the rule is applied to the monitored
interface.
Access Control Lists (ACL)
359