Skip to main content

ACL Monitoring

ACL Monitoring provides visibility into how your Access Control List rules are performing in production. The page uses a dual-source design: an always-available config summary panel (sourced from the API database, works even when the edge is offline) and live metric charts (sourced from PromQL, only available when the edge is online and reporting).

System ACLs

System-managed ACLs (e.g., the tap300DefaultOutbound rule created by the WAN plugin) are filtered from the display to keep the focus on user-defined rules.

Config Summary (Always Available)

The top panel shows the ACL configuration state from the database:

  • ACL Enabled — whether the VPP ACL plugin is active
  • Total ACLs — number of configured ACL tables
  • Total Rules — aggregate rule count across all ACLs
  • Interface Bindings — which ACLs are bound to which interfaces, with direction (ingress/egress)

This panel renders even when the edge is offline, making it useful for auditing the intended configuration.

Rule Hit Counters (Live Metrics)

Every ACL rule configured on your edges tracks two counters:

  • Packets Matched -- The number of packets that matched the rule criteria.
  • Bytes Matched -- The total bytes of traffic that matched the rule.

These counters are collected from the VPP binary API on each edge and reported to the orchestrator as part of the regular metrics collection cycle.

Identifying Rule Effectiveness

Hit counters help you answer important questions about your ACL configuration:

PatternWhat It Means
High hit countThe rule is actively matching traffic. Verify it is performing the intended action (permit or deny).
Zero hitsThe rule has never matched any traffic. It may be redundant, misconfigured, or protecting against a threat that has not occurred.
Unexpected hits on a deny ruleTraffic is being blocked that you may not have anticipated. Investigate the source to determine if it is legitimate or malicious.
No hits on an expected permit ruleTraffic may be matching a higher-priority rule before reaching this one. Check rule ordering.
tip

Review ACL hit counters regularly to identify unused rules that can be cleaned up. Removing unnecessary rules simplifies your security policy and can improve processing performance on the edge.

Time-Series View

In addition to cumulative counters, ACL hits can be viewed as a time series to identify how traffic patterns change over time. This is useful for:

  • Detecting new traffic patterns that start matching existing rules.
  • Correlating ACL hits with network events or incidents.
  • Verifying that a newly added rule is matching the expected traffic.

Rule Table

The ACL rule table displays all configured rules with their current hit counts. You can sort the table by:

  • Most Active -- Rules with the highest hit counts, showing where most traffic is being matched.
  • Least Active -- Rules with the lowest (or zero) hit counts, highlighting candidates for review or removal.
  • Rule Order -- The default processing order, useful for understanding rule evaluation sequence.

Each row shows the rule's action (permit/deny), match criteria (source/destination, ports, protocol), and the accumulated hit counters.