[c-nsp] ACL logging on n5k
Lincoln Dale
ltd at cisco.com
Wed Aug 11 02:35:15 EDT 2010
On 11/08/2010, at 3:54 PM, Tassos Chatzithomaoglou wrote:
> Just another quick question : can ethanalyser capture traffic *before *being dropped by an acl?
N7K: yes.
and in fact, because the way we actually do it is implement the data plane forwarding in the h/w (ASIC) path with a 'rate limited copy' sent to control-plane for the logging action, you can even do "permit ip any any log" on MPPS worth of traffic and not have it melt the box.
if you're asking about N5K then the answer is 'no', at least until the 'log' keyword is added.
because control-plane won't see the packet otherwise.
cheers,
lincoln.
More information about the cisco-nsp
mailing list