04-20-2016 04:26 PM
In ACI is it possible to see what traffic (IP ports) are being dropped by a contract? It often happens that a contract has been put in place and some part of the application is still work working. Rather than setting up a sniffer, snapping the traffic, etc, is there a way to show what's hitting the contract but is being dropped? IP Port numbers would be fine, but that can be parsed out of anything if it's available in the system somewhere. Or, if a monitor policy needs to be placed on it, that's fine too, I just can't find anything.
Thanks for any help.
04-26-2016 07:08 PM
Hi tigephillips,
You should be able to see what packets are dropped by contracts with the “show logging ip access-list internal packet-log” CLI command. You may need to add the “deny” option to this depending on the ACI version. But this does not show what contract is hit by the dropped packet.
You could be able to estimate it from “show system internal policy-mgr stats”.
Hope this
04-27-2016 02:30 PM
From further input from one of our experts, you may have to "enable" feature by going to Fabric -> Fabric Policies -> Monitoring Policies -> Common Policy -> Syslog Message Policies -> Policy for system syslog messages -> Change ‘default’ to ‘information’. Then you can also view the logs in the GUI by going to Fabric -> Inventory -> POD 1 -> History -> Events. It will be logged as ACLLOG, see the attached image.
Dave
03-06-2018 05:04 AM
Hello,
Does the above configuration work for ACI Version: 2.2(1o)? I tried it in my lab but I didn't get any entry in the Event tab.
Thanks,
Helena.
03-06-2018 05:14 AM
I'll answer myself: it do work..I was doing the wrong test and not hiting a contract.
But then, the concern is ¿would this afect performance in a large environment with around 100 contracts?.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide