[c-nsp] More 6500 questions... Optimized ACL Logging
Phil Mayers
p.mayers at imperial.ac.uk
Wed May 9 07:33:38 EDT 2007
>
> But when I try to see what is being logged I get nothing :-
> sh logging ip access-list cache
> Matched flows:
> id prot src_ip dst_ip sport dport status count
> total lastlog
> --------------------------------------------------------------------------------------
>
> Number of entries: 0
> Number of messages logged: 0
> Number of packets logged: 0
> Number of packets received for logging: 0
>
>
>
> What have I missed?
>
Ah ha. Interestingly I've just had to turn this on due to a symantec
worm outbreak here, and sure enough the "deny" packets were not hitting
the OAL buffer. Then I found this:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801609f6.html
"""To provide OAL support for denied packets, enter the mls rate-limit
unicast ip icmp unreachable acl-drop 0 command."""
That is, you need to disable the generation of ICMP unreach on ACL
"deny" ACEs *COMPLETELY* in order for OAL to function. Shame it's a box
global as opposed to per-interface or per-ACL/ACE (a "drop" ACE statement?)
I guess when I did my bench-testing I used "permit" ACEs to test.
More information about the cisco-nsp
mailing list