command to monitor acl activity?
-
I'm working on configuring a TNSR instance and, as I go about setting up various ACLs, was hoping to be able to do something like ping a device on the network and view the permit/deny/reflect ACL activity on the router. I've cannot find a show command that does this but it's entirely possible I've missed it. This would be very helpful for instances where things don't respond as I would expect them to. Any utility/command that I can leverage?
-
I don't think there is anything which tracks that, even in the dataplane itself (VPP). There is a "count" field in ACLs inside VPP but it's the number of rules in an ACL, not hits. I don't see anything else close.
You can look at how things are moving in VPP directly, using
sudo vppctland items in there like thetracecommand. Though it's nowhere near as easy as checking a hit counter. -
@jimp thanks again for your response and the helpful information. You've certainly given me something to read up on and play with! Any likelihood a counter type feature could/would be forthcoming at a later date?
-
We have some feature requests open for that and other similar things (like notifying on ACL hit) but no ETA on when that might be implemented.
-
Alrighty then. I'll work on getting smarter while you all keep developing away. Is there anywhere I can go to see the outstanding feature requests/bugs/etc so that I don't bother you all with questions about things that are already known about or being worked on?
-
Not at the moment, it's all in an internal bug tracker. Every once in a while we revisit making that public but so far it's mostly private with internal chatter. If anything changes there, it will be in the release notes and related posts around a new release.
