[c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.

Rodney Dunn rodunn at cisco.com
Wed Jul 16 07:25:59 EDT 2008 

If I remember correctly they are rate limited.

You should use netflow and match on ACL dst if of Null0 rather
than the log feature of the ACL's.

Rodney

On Wed, Jul 16, 2008 at 12:31:26PM +0700, a. rahman isnaini r.sutan wrote:
> Hi charles,
> 
> Depends on the engine processor.
> Our G1 can handle this, it just the router not shown on the log (we 
> saved to a syslog-ng server).
> 
> 
> rgs
> a. rahman isnaini r.sutan
> 
> Church, Charles wrote:
> >If the router is subject to enough traffic where thousands of ACL hits
> >are happening per second, you DON'T want to have any entries of that ACL
> >logging.  It's terrible for performance.
> >
> >Chuck
> >
> >-----Original Message-----
> >From: cisco-nsp-bounces at puck.nether.net
> >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of a. rahman
> >isnaini r.sutan
> >Sent: Tuesday, July 15, 2008 10:05 PM
> >To: Rodney Dunn
> >Cc: cisco-nsp at puck.nether.net
> >Subject: Re: [c-nsp] The maximum number of match packets Cisco Router
> >can detect on ACL at one time.
> >
> >
> >Thanks Rodney.
> >Other thing, though the ACL matches thousand of hits at once..
> >The log couldn't show this (log buffere has been set to 4096 x 2)
> >
> >a. rahman isnaini r.sutan
> >
> >Rodney Dunn wrote:
> >>There is no limit to the number of times the ACL will match and drop.
> >>
> >>The counter depending on how it's defined in the code may wrap but
> >>that should never impact the ACL from matching and
> >dropping/permitting.
> >>Rodney
> >>
> >>On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan
> >wrote:
> >>>Hi,
> >>>
> >>>
> >>>Might be some you have noted once, the maximum value (number) that
> >Cisco 
> >>>ACL can match let say flooding packets.
> >>>Here : deny tcp any any eq 1434 (5732 matches) fro example.
> >>>Since I have a problem with 7200 NPE G1, the huge traffic cannot be 
> >>>detected & matched by ACL.
> >>>
> >>>thanks for share if you will.
> >>>
> >>>a. rahman isnaini r.sutan
> >>>_______________________________________________
> >>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list