On 20/03/13 14:42, "Rolf Hanßen" wrote:
Hello,
Just wanted to drop some UDP flooding with an interface ACL.
I configured:
interface Vlan1373
ip access-group block-flood in
exit
Access-list is very simple:
edge1-ams3#sh ip access-lists block-flood
Extended IP access list block-flood
10 deny udp any host 1.2.3.4 (589878 matches)
20 permit ip any any (149516 matches)
edge1-ams3#
edge1-ams3#sh int Vl1373 | inc input rate
30 second input rate 2772775000 bits/sec, 435403 packets/sec
edge1-ams3#
The interface has a quite high amount of pps, but the acl hit count
increases only by less than 200/sec for both entries together.
Does that ACL not filter all traffic passing the interface or why does the
delta of ACL hits not match the number of incoming pps ?
Maybe it counts only packets going to the RP or something is cached and
counts only every x packets ?
Typically you will find the ACL counters on hardware platforms may
under-count, unless you enable specific features.
On Sup2T, you want:
ip access-list ...
hardware statistics
You may (or may not) find OAL interesting as well.
See here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/ios_acl_support.html#wp1111231
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/