On Sat, 25 Jan 2003, Iljitsch van Beijnum wrote:
> > On Sat, 25 Jan 2003, Rob Thomas wrote: > > > ] access-list 150 deny udp any any eq 1434 log-input > > > Be _very_ careful about enabling such logging. Some of the worm flows > > have filled GigE pipes. I doubt you really want to log that; Netflow > > is a better option in this case. Too much logging will raise the CPU > > utilization to the point of creating a DoS on the router. > > As a general rule, yes. But: > > " Access list logging does not show every packet that matches an entry. > Logging is rate-limited to avoid CPU overload. What logging shows you is > a reasonably representative sample, but not a complete packet trace. > Remember that there are packets you're not seeing. either way, the logging for this, ESPECIALLY with log-input, is a dangerous proposition. One thing to keep in mind is that the S-train platforms are different in handling logging than the normal trains... so S-train rate-limits (and bumps out them annoying messages about rate-limited messages) while others punt as much to the route processor as possible and happily saturate it :( (Don't log on like a 7500 for instance if the packet rates are over like 5kpps...) > > Access lists and logging have a performance impact, but not a large one. > Be careful on routers running at more than about 80 percent CPU load, or > when applying access lists to very high-speed interfaces. " > right, or on platforms not built to scale :) (like 7500 or smaller boxen) > ( http://www.cisco.com/warp/public/707/22.html ) > > There doesn't seem to be a noticable impact on CPU usage for a C12000 > GigE linecard. Can you do Netflow rather than CEF on such a beast > without a performance penalty? > One thing to keep in mind is that perhaps you don't care about the logging :) Just drop it and make your customers fix their borked boxes...