[c-nsp] Sup2 ACL logging problem
Matyas Koszik
koszik at atw.hu
Sat Feb 18 22:14:49 EST 2006
I would like to log ACL dropped packets on a Sup2, but I've come across
with some problems.
Here's the test acl:
Extended IP access list teszt-drop
10 deny ip any host 10.1.0.14 (2286 matches)
11 deny ip any host 10.1.0.15 log-input (9367852 matches)
20 permit ip any any reflect reflex
If I send packets destined to 10.1.0.14 everything is fine, but if I send
them to 10.1.0.15 I experience 97% loss when pinging IPs on the sup (and
of course bgp neighbors go down, etc).
I've configured ingress/egress ACL bridging rate limit to 500 pps, which
seems to be working:
.Feb 19 00:10:11.077 CET: %SEC-6-IPACCESSLOGP: list teszt-drop denied tcp
172.28.2.1(2) (FastEthernet2/1 0001.8053.2a7e) -> 10.1.0.15(3), 150044
packets
.Feb 19 00:15:11.182 CET: %SEC-6-IPACCESSLOGP: list teszt-drop denied tcp
172.28.2.1(2) (FastEthernet2/1 0001.8053.2a7e) -> 10.1.0.15(3), 150043
packets
I've checked the CPUs as well:
router#sh proc | i for
CPU utilization for five seconds: 4%/4%; one minute: 4%; five minutes: 4%
router#rem com sw sh proc | i for
CPU utilization for five seconds: 3%/0%; one minute: 5%; five minutes: 5%
The sup runs 12.2(18)SXD6.
What can be wrong?
(I changed the permit to be non-reflexive, and the problem disappeared.
Now it's reflexive again, and still no problems. Strange...)
More information about the cisco-nsp
mailing list