[c-nsp] The maximum number of match packets Cisco Router can detect on ACL at one time.
a. rahman isnaini r.sutan
risnaini at indo.net.id
Wed Jul 16 08:08:43 EDT 2008
OK than, so Cisco Router has a limitation on plotting the maximum
hits/matches on ACL to a raw log.
Thanks Rodney.
a. rahman isnaini r.sutan
Rodney Dunn wrote:
> If I remember correctly they are rate limited.
>
> You should use netflow and match on ACL dst if of Null0 rather
> than the log feature of the ACL's.
>
> Rodney
>
> On Wed, Jul 16, 2008 at 12:31:26PM +0700, a. rahman isnaini r.sutan wrote:
>> Hi charles,
>>
>> Depends on the engine processor.
>> Our G1 can handle this, it just the router not shown on the log (we
>> saved to a syslog-ng server).
>>
>>
>> rgs
>> a. rahman isnaini r.sutan
>>
>> Church, Charles wrote:
>>> If the router is subject to enough traffic where thousands of ACL hits
>>> are happening per second, you DON'T want to have any entries of that ACL
>>> logging. It's terrible for performance.
>>>
>>> Chuck
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of a. rahman
>>> isnaini r.sutan
>>> Sent: Tuesday, July 15, 2008 10:05 PM
>>> To: Rodney Dunn
>>> Cc: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] The maximum number of match packets Cisco Router
>>> can detect on ACL at one time.
>>>
>>>
>>> Thanks Rodney.
>>> Other thing, though the ACL matches thousand of hits at once..
>>> The log couldn't show this (log buffere has been set to 4096 x 2)
>>>
>>> a. rahman isnaini r.sutan
>>>
>>> Rodney Dunn wrote:
>>>> There is no limit to the number of times the ACL will match and drop.
>>>>
>>>> The counter depending on how it's defined in the code may wrap but
>>>> that should never impact the ACL from matching and
>>> dropping/permitting.
>>>> Rodney
>>>>
>>>> On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan
>>> wrote:
>>>>> Hi,
>>>>>
>>>>>
>>>>> Might be some you have noted once, the maximum value (number) that
>>> Cisco
>>>>> ACL can match let say flooding packets.
>>>>> Here : deny tcp any any eq 1434 (5732 matches) fro example.
>>>>> Since I have a problem with 7200 NPE G1, the huge traffic cannot be
>>>>> detected & matched by ACL.
>>>>>
>>>>> thanks for share if you will.
>>>>>
>>>>> a. rahman isnaini r.sutan
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
More information about the cisco-nsp
mailing list