Creating an acl with an sflow clause – Brocade Multi-Service IronWare Switching Configuration Guide (Supporting R05.6.00) User Manual

900

Multi-Service IronWare Switching Configuration Guide

53-1003036-02

ACL-based Inbound sFlow

23

•

IPv4 ACL-based Rate Limiting: When the copy-sflow keyword is used in an IPv4 Rate Limiting
ACL, only traffic permitted by the Rate Limiting engine is copied to the CPU for forwarding to the
sFlow collector.

•

IPv4 ACLs on VRF endpoints: You can apply ACL-based sFlow for VRF endpoints; however, such
packets are treated as regular sampled sFlow packets and do not carry proprietary
encapsulation. This can create a minor skew of statistics projection.

•

Layer 2 ACLs: The copy-sflow keyword is not supported for Layer 2 ACLs.

•

If the copy-sflow keyword is used for a clause that is applied to the outbound direction, it is
ignored.

Creating an ACL with an sFlow clause

The copy-sflow keyword has been added for inclusion in IPv4 and IPv6 ACL clauses to direct traffic
that meets the criteria in the clause to be sent to the sFlow collector. In the following example, the
ACL is used to direct syn-ack packets sent from a server at address 10.10.10.1.

access-list 151 permit tcp host 10.10.10.1 any established syn copy-sflow

access-list 151 permit any any

The copy-sflow keyword directs selected traffic to the sFlow collector. Traffic can only be selected
using the permit clause.

You must apply the ACL to an interface using the ip access-group command as shown in the
following example.

Brocade(config)# int eth 1/1

Brocade(config-if-e10000-1/1)# ip access-group 151 in