[c-nsp] ACL 1000 deny hits per second. Only 10 packets in logfile
John Bittenbender
kisanth88 at gmail.com
Wed Mar 9 09:21:22 EST 2005
I've been told that on architectures that use PXF forwarding the ACE
log function does not work unless the packets that match the ACE
become processor switched, at which point they get logged.
YMMV
JB
On Wed, 9 Mar 2005 11:31:04 +0200, Kim Onnel <karim.adel at gmail.com> wrote:
> I know that on some platforms, the ACE matches numbers doesnt report
> correctly e.g: 6500/7600
>
> I've had a 7600 giving Little number of matches on my last ace (permit
> ip any any) on a very busy interface
>
> that is IIRC, because the ACEs are done in hardware, reported in
> software, i'd like to be corrected if i am wrong about this, anyone
>
> On Wed, 9 Mar 2005 10:25:26 +0100 (CET), Roger Wiklund <copse at xy.org> wrote:
> > Cisco 3750 EMI 12.2(20)SE3
> >
> > //Roger
> >
> > On Wed, 9 Mar 2005, Kim Onnel wrote:
> >
> > > Which Router and IOS is this
> > >
> > >
> > > On Tue, 8 Mar 2005 17:35:04 +0100 (CET), Roger Wiklund <copse at xy.org> wrote:
> > >> Hi,
> > >>
> > >> Yes I know, but every five minuts there are rate-limit or packets missed
> > >> ~10-15
> > >>
> > >> //Roger
> > >>
> > >> On Tue, 8 Mar 2005, Amol Sapkal wrote:
> > >>
> > >>> I am not sure, but the router will log only a few packets per few
> > >>> seconds and not all the packets, otherwise the cpu would overload
> > >>> logging all the packets.
> > >>>
> > >>> -Amol
> > >>>
> > >>>
> > >>> On Tue, 8 Mar 2005 09:26:19 -0500, Dave Temkin <dave at ordinaryworld.com> wrote:
> > >>>> Do you have anything defined for the "logging rate-limit" command?
> > >>>>
> > >>>> On Tue, 8 Mar 2005 15:19:30 +0100 (CET), Roger Wiklund wrote
> > >>>>> Hi, I have a strange problem.
> > >>>>>
> > >>>>> In my access-list i get about 1000 deny hits/s. But when I look in
> > >>>>> my log I only see about 10 deny packets/minuts. Have I overlooked something?
> > >>>>>
> > >>>>> access-list xxx permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx any
> > >>>>> access-list xxx deny ip any any log-input
> > >>>>>
> > >>>>> //Roger
> > >>>>> _______________________________________________
> > >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
> > >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >>>>
> > >>>> David Temkin
> > >>>>
> > >>>> _______________________________________________
> > >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
> > >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >>>>
> > >>>
> > >>>
> > >>> --
> > >>> Warm Regds,
> > >>>
> > >>> Amol Sapkal
> > >>>
> > >>> --------------------------------------------------------------------
> > >>> An eye for an eye makes the whole world blind
> > >>> - Mahatma Gandhi
> > >>> --------------------------------------------------------------------
> > >>>
> > >> _______________________________________________
> > >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> > >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >>
> > >
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list