[c-nsp] Cisco Optimized ACL Logging (OAL)

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 25 12:39:18 EDT 2008


Matt Nguyen wrote:
> Is anyone out there using OAL?  It seems very easy to implement but
> I’d appreciate any feedback about your experience implementing this.

Yes. It works fine, however it has some caveats notably:

  1. If you want to "deny log" and have OAL work, you need to tell the 
box to *not* leak denied packets to the SUP:

mls rate-limit unicast ip icmp unreachable acl-drop 0

  2. It's mutually exclusive with VACL capture, which is a shame

> 
> 
> I have a 6509 with Sup720/MSFC3 and PFC3B and am not yet using OAL.
> 
> I have about 30 VLANs with low/negligible traffic volume. I have 4
> high volume VLANs with sustained traffic volume of 100Mbps and
> 30Kpps. I have another 4 medium volume VLANs with about half that
> volume of traffic. I have 130 line ACLs inbound and outbound on 2/4
> of the high and 2/4 of the medium volume VLANs with selective logging
> of particular lines in the ACLs.
> 
> My CPU is steady at about 18%.
> 
> I am in the process of adding ACL’s to the remaining high and medium
> volume VLANs but have halted my deployment because during initial
> phases where I was doing more logging than normal to try and identify
> source/destination pairs, my CPU was spiking to 98%!

Yeah, probably

> 
> My main questions are:  Is OAL really going to help me that much?

Yes

> Any caveats/tradeoffs when implementing OAL?  All feedback is greatly
> appreciated!

As above


More information about the cisco-nsp mailing list