Skip to main content

ACL Monitoring

ACL Monitoring provides visibility into how your Access Control List rules are performing in production. By tracking hit counters for each ACL rule, you can understand which rules are actively matching traffic and which may be candidates for cleanup.

Rule Hit Counters

Every ACL rule configured on your edges tracks two counters:

  • Packets Matched -- The number of packets that matched the rule criteria.
  • Bytes Matched -- The total bytes of traffic that matched the rule.

These counters are collected from the VPP binary API on each edge and reported to the orchestrator as part of the regular metrics collection cycle.

Identifying Rule Effectiveness

Hit counters help you answer important questions about your ACL configuration:

PatternWhat It Means
High hit countThe rule is actively matching traffic. Verify it is performing the intended action (permit or deny).
Zero hitsThe rule has never matched any traffic. It may be redundant, misconfigured, or protecting against a threat that has not occurred.
Unexpected hits on a deny ruleTraffic is being blocked that you may not have anticipated. Investigate the source to determine if it is legitimate or malicious.
No hits on an expected permit ruleTraffic may be matching a higher-priority rule before reaching this one. Check rule ordering.
tip

Review ACL hit counters regularly to identify unused rules that can be cleaned up. Removing unnecessary rules simplifies your security policy and can improve processing performance on the edge.

Time-Series View

In addition to cumulative counters, ACL hits can be viewed as a time series to identify how traffic patterns change over time. This is useful for:

  • Detecting new traffic patterns that start matching existing rules.
  • Correlating ACL hits with network events or incidents.
  • Verifying that a newly added rule is matching the expected traffic.

Rule Table

The ACL rule table displays all configured rules with their current hit counts. You can sort the table by:

  • Most Active -- Rules with the highest hit counts, showing where most traffic is being matched.
  • Least Active -- Rules with the lowest (or zero) hit counts, highlighting candidates for review or removal.
  • Rule Order -- The default processing order, useful for understanding rule evaluation sequence.

Each row shows the rule's action (permit/deny), match criteria (source/destination, ports, protocol), and the accumulated hit counters.