Information About ACL Logging
The ACL logging feature allows you to monitor ACL flows and to log dropped packets on an interface.
IPv6 ACL Logging Overview
When the ACL logging feature is configured, the system monitors ACL flows and logs dropped packets and statistics for each flow that matches the deny conditions of the ACL entry.
Statistics and dropped-packet logs are generated for each flow. A flow is defined by the source interface, protocol, source IP address, source port, destination IP address, and destination port values. The statistics maintained for a matching flow is the number of denies of the flow by the ACL entry during the specified time interval.
When a new flow is denied (that is a flow that is not already active in the system), the system generates an initial Syslog message with a hit count value of 1. Then each time the flow is denied, the system creates a flow entry and increments the hit count value.
When an existing flow is denied, the system generates a Syslog message at the end of each interval to report the hit count value for the flow in the current interval. After the Syslog message is generated, the hit count value for the flow is reset to zero for the next interval. If no hit is recorded during the interval, the flow is deleted and no Syslog message is generated.