[c-nsp] Cisco Optimized ACL Logging (OAL)
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jun 25 12:39:18 EDT 2008
Matt Nguyen wrote:
> Is anyone out there using OAL? It seems very easy to implement but
> I’d appreciate any feedback about your experience implementing this.
Yes. It works fine, however it has some caveats notably:
1. If you want to "deny log" and have OAL work, you need to tell the
box to *not* leak denied packets to the SUP:
mls rate-limit unicast ip icmp unreachable acl-drop 0
2. It's mutually exclusive with VACL capture, which is a shame
>
>
> I have a 6509 with Sup720/MSFC3 and PFC3B and am not yet using OAL.
>
> I have about 30 VLANs with low/negligible traffic volume. I have 4
> high volume VLANs with sustained traffic volume of 100Mbps and
> 30Kpps. I have another 4 medium volume VLANs with about half that
> volume of traffic. I have 130 line ACLs inbound and outbound on 2/4
> of the high and 2/4 of the medium volume VLANs with selective logging
> of particular lines in the ACLs.
>
> My CPU is steady at about 18%.
>
> I am in the process of adding ACL’s to the remaining high and medium
> volume VLANs but have halted my deployment because during initial
> phases where I was doing more logging than normal to try and identify
> source/destination pairs, my CPU was spiking to 98%!
Yeah, probably
>
> My main questions are: Is OAL really going to help me that much?
Yes
> Any caveats/tradeoffs when implementing OAL? All feedback is greatly
> appreciated!
As above
More information about the cisco-nsp
mailing list