North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
- From: Christopher L. Morrow
- Date: Sat Jan 25 16:24:27 2003
On Sat, 25 Jan 2003, Iljitsch van Beijnum wrote:
> On Sat, 25 Jan 2003, Rob Thomas wrote:
> > ] access-list 150 deny udp any any eq 1434 log-input
> > Be _very_ careful about enabling such logging. Some of the worm flows
> > have filled GigE pipes. I doubt you really want to log that; Netflow
> > is a better option in this case. Too much logging will raise the CPU
> > utilization to the point of creating a DoS on the router.
> As a general rule, yes. But:
> " Access list logging does not show every packet that matches an entry.
> Logging is rate-limited to avoid CPU overload. What logging shows you is
> a reasonably representative sample, but not a complete packet trace.
> Remember that there are packets you're not seeing.
either way, the logging for this, ESPECIALLY with log-input, is a
dangerous proposition. One thing to keep in mind is that the S-train
platforms are different in handling logging than the normal trains... so
S-train rate-limits (and bumps out them annoying messages about
rate-limited messages) while others punt as much to the route processor as
possible and happily saturate it :( (Don't log on like a 7500 for instance
if the packet rates are over like 5kpps...)
> Access lists and logging have a performance impact, but not a large one.
> Be careful on routers running at more than about 80 percent CPU load, or
> when applying access lists to very high-speed interfaces. "
right, or on platforms not built to scale :) (like 7500 or smaller boxen)
> ( http://www.cisco.com/warp/public/707/22.html )
> There doesn't seem to be a noticable impact on CPU usage for a C12000
> GigE linecard. Can you do Netflow rather than CEF on such a beast
> without a performance penalty?
One thing to keep in mind is that perhaps you don't care about the logging
:) Just drop it and make your customers fix their borked boxes...