enable this capability, traffic with particular flows that are traversing through theingress and egress interfaces are examined and, appropriate ACLs can be applied inboth the ingress and egress direction. Flow-based monitoring conservesbandwidth by monitoring only specified traffic instead all traffic on the interface.This feature is particularly useful when looking for malicious traffic. It is available forLayer 2 and Layer 3 ingress and egress traffic. You may specify traffic usingstandard or extended access-lists. This mechanism copies all incoming or outgoingpackets on one port and forwards (mirrors) them to another port. The source portis the monitored port (MD) and the destination port is the monitoring port (MG).RelatedCommandsip access-list extended — creates an extended ACL.permit tcp — assigns a permit filter for TCP packets.permit udp — assigns a permit filter for UDP packets.permit (for Standard MAC ACLs)To forward packets from a specific source MAC address, configure a filter.Syntax permit {any | mac-source-address [mac-source-address-mask]}[count [byte]] | [log [interval minutes] [threshold-in-msgs[count]] [monitor]To remove this filter, you have two choices:• Use the no seq sequence-number command if you know the filter’ssequence number.• Use the no permit {any | mac-source-address mac-source-address-mask} command.Parameters log (OPTIONAL) Enter the keyword log to enable the triggeringof ACL log messages.threshold-inmsgs count(OPTIONAL) Enter the threshold-in-msgs keywordfollowed by a value to indicate the maximum number of ACLlogs that can be generated, exceeding which the generationof ACL logs is terminated with the seq, permit, or denycommands. The threshold range is from 1 to 100.intervalminutes(OPTIONAL) Enter the keyword interval followed by thetime period in minutes at which ACL logs must be generated.The interval range is from 1 to 10 minutes.monitor (OPTIONAL) Enter the keyword monitor when the rule isdescribing the traffic that you want to monitor and the ACLin which you are creating the rule is applied to the monitoredinterface.Access Control Lists (ACL) 323