subject:"RE\: Which access\-list increase load the most\?"

RE: Which access-list increase load the most?

2000-07-11 Thread Herold Heiko


Remember mrtg does its monitoring with snmp (I suppose cricket does the
same, I never used it though).
This means you can monitor everything available on that router with snmp,
memory, blocks, errors, processes, temperature, lots of things. Just get
yourself a free MIB browser if needed and take a look - you'll be
surprised at the wealth of data.

For example one interesting thing I'd like like to try asap on a heavily
access-listed router could be a graph with (sum of inbound bytes on all
interfaces) - (sum of outbound bytes on all interfaces). Or, for the
temperature thing (not available on my routers unfortunately), what about
cpuload/(current temperature - "base" temperature)*100 ? Remember you can
mix different devices... in fact I'm trying to get a APC UPS with
environmental monitor (instead of another one) for exact this reason :-)

Heiko

-- PREVINET S.p.A.[EMAIL PROTECTED]
-- Via Marocchesa, 14 ph  x39-041-5907073
-- I-31021 Mogliano V.to (TV) fax x39-041-5907025
-- ITALY



>-Original Message-
>From: Emilia Lambros [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, July 11, 2000 5:43 AM
>To: [EMAIL PROTECTED]
>Subject: RE: Which access-list increase load the most?
>
>
>In response to the other part of the question, I know Cricket
>(http://cricket.sourceforge.net/) does CPU/Memory monitoring 
>and I MRTG does
>load, but I'm not sure about memory .. you'd probably have to 
>check it/play
>with it for a while, but I have seen some pretty weird stuff 
>done with MRTG
>so you never know until you give it a go.
>
>
>
>>  > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
>>  > 15:59:31
>>  > >
>>  > >Please respond to "K.FUJIWARA"
>>  > <[EMAIL PROTECTED]>
>>  > >
>>  > >
>>  > >To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>>  > >cc:(bcc: JENNY MCLEOD/NSO/CSDA)
>>  > >Subject:  Which access-list increase load the most?
>>  > >
>>  > >
>>  > >
>>  > >Hi, all.
>>  > >
>>  > >Though the null interface is the best solution for
>>  > load in the ruter
>>  > >CPU, which
>>  > >extended / standard access-list is the best to
>>  > reduce the load?
>>  > >Extended one's result may be depends on where it
>>  > will be put or the
>>  > >case, so where
>>  > >should it be configured? Destination?
>>  > >If you have some good examples, please show me.
>>  > >
>>  > >And then, do you know good tools or utility to
>>  > monitor the routers
>>  > >performance on
>>  > >CPU or RAM in real time?
>>  > >
>>  > >Kazuyo Fujiwara
>>  > >MCSE/CCNA
>>  > >Japan Kobe
>>  > >
>>  > >
>>  > >
>>  > >___
>>  > >UPDATED Posting Guidelines:
>>  > http://www.groupstudy.com/list/guide.html
>>  > >FAQ, list archives, and subscription info:
>>  > http://www.groupstudy.com
>>  > >Report misconduct and Nondisclosure violations to
>>  > [EMAIL PROTECTED]
>>  > >
>>  > >
>>  > >
>>  > >
>>  > >___
>>  > >UPDATED Posting Guidelines:
>>  > http://www.groupstudy.com/list/guide.html
>>  > >FAQ, list archives, and subscription info:
>>  > http://www.groupstudy.com
>>  > >Report misconduct and Nondisclosure violations to
>>  > [EMAIL PROTECTED]
>>  >
>>  > Tom Holbrook
>>  > Network Engineer
>>  > Earthlink
>>  >
>>  > ___
>>  > UPDATED Posting Guidelines:
>>  > http://www.groupstudy.com/list/guide.html
>>  > FAQ, list archives, and subscription info:
>>  > http://www.groupstudy.com
>>  > Report misconduct and Nondisclosure violations to
>>[EMAIL PROTECTED]
>>
>>
>>__
>>Do You Yahoo!?
>>Get Yahoo! Mail ñ Free email you can access from anywhere!
>>http://mail.yahoo.com/
>>
>>___
>>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>>FAQ, list archives, and subscription info: http://www.groupstudy.com
>>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Which access-list increase load the most?

2000-07-10 Thread Paul Borghese


MRTG can do CPU/Memory.  You just need to find the correct MIB and set it up
MRTG.  Start looking under 1.3.6.1.4.1.9.local.system.

I believe the CPU mib is around .56-58 under cisco.local.system but I am
doing this from memory so I may be way off.  Look in the Cisco doc set or
use snmpwalk.

Paul Borghese
-Original Message-
From: Emilia Lambros <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Monday, July 10, 2000 11:44 PM
Subject: RE: Which access-list increase load the most?


>In response to the other part of the question, I know Cricket
>(http://cricket.sourceforge.net/) does CPU/Memory monitoring and I MRTG
does
>load, but I'm not sure about memory .. you'd probably have to check it/play
>with it for a while, but I have seen some pretty weird stuff done with MRTG
>so you never know until you give it a go.
>
>
>
>>  > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
>>  > 15:59:31
>>  > >
>>  > >Please respond to "K.FUJIWARA"
>>  > <[EMAIL PROTECTED]>
>>  > >
>>  > >
>>  > >To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>>  > >cc:(bcc: JENNY MCLEOD/NSO/CSDA)
>>  > >Subject:  Which access-list increase load the most?
>>  > >
>>  > >
>>  > >
>>  > >Hi, all.
>>  > >
>>  > >Though the null interface is the best solution for
>>  > load in the ruter
>>  > >CPU, which
>>  > >extended / standard access-list is the best to
>>  > reduce the load?
>>  > >Extended one's result may be depends on where it
>>  > will be put or the
>>  > >case, so where
>>  > >should it be configured? Destination?
>>  > >If you have some good examples, please show me.
>>  > >
>>  > >And then, do you know good tools or utility to
>>  > monitor the routers
>>  > >performance on
>>  > >CPU or RAM in real time?
>>  > >
>>  > >Kazuyo Fujiwara
>>  > >MCSE/CCNA
>>  > >Japan Kobe
>>  > >
>>  > >
>>  > >
>>  > >___
>>  > >UPDATED Posting Guidelines:
>>  > http://www.groupstudy.com/list/guide.html
>>  > >FAQ, list archives, and subscription info:
>>  > http://www.groupstudy.com
>>  > >Report misconduct and Nondisclosure violations to
>>  > [EMAIL PROTECTED]
>>  > >
>>  > >
>>  > >
>>  > >
>>  > >___
>>  > >UPDATED Posting Guidelines:
>>  > http://www.groupstudy.com/list/guide.html
>>  > >FAQ, list archives, and subscription info:
>>  > http://www.groupstudy.com
>>  > >Report misconduct and Nondisclosure violations to
>>  > [EMAIL PROTECTED]
>>  >
>>  > Tom Holbrook
>>  > Network Engineer
>>  > Earthlink
>>  >
>>  > ___
>>  > UPDATED Posting Guidelines:
>>  > http://www.groupstudy.com/list/guide.html
>>  > FAQ, list archives, and subscription info:
>>  > http://www.groupstudy.com
>>  > Report misconduct and Nondisclosure violations to
>>[EMAIL PROTECTED]
>>
>>
>>__
>>Do You Yahoo!?
>>Get Yahoo! Mail ñ Free email you can access from anywhere!
>>http://mail.yahoo.com/
>>
>>___
>>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>>FAQ, list archives, and subscription info: http://www.groupstudy.com
>>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Which access-list increase load the most?

2000-07-10 Thread Emilia Lambros


In response to the other part of the question, I know Cricket
(http://cricket.sourceforge.net/) does CPU/Memory monitoring and I MRTG does
load, but I'm not sure about memory .. you'd probably have to check it/play
with it for a while, but I have seen some pretty weird stuff done with MRTG
so you never know until you give it a go.



>  > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
>  > 15:59:31
>  > >
>  > >Please respond to "K.FUJIWARA"
>  > <[EMAIL PROTECTED]>
>  > >
>  > >
>  > >To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>  > >cc:(bcc: JENNY MCLEOD/NSO/CSDA)
>  > >Subject:  Which access-list increase load the most?
>  > >
>  > >
>  > >
>  > >Hi, all.
>  > >
>  > >Though the null interface is the best solution for
>  > load in the ruter
>  > >CPU, which
>  > >extended / standard access-list is the best to
>  > reduce the load?
>  > >Extended one's result may be depends on where it
>  > will be put or the
>  > >case, so where
>  > >should it be configured? Destination?
>  > >If you have some good examples, please show me.
>  > >
>  > >And then, do you know good tools or utility to
>  > monitor the routers
>  > >performance on
>  > >CPU or RAM in real time?
>  > >
>  > >Kazuyo Fujiwara
>  > >MCSE/CCNA
>  > >Japan Kobe
>  > >
>  > >
>  > >
>  > >___
>  > >UPDATED Posting Guidelines:
>  > http://www.groupstudy.com/list/guide.html
>  > >FAQ, list archives, and subscription info:
>  > http://www.groupstudy.com
>  > >Report misconduct and Nondisclosure violations to
>  > [EMAIL PROTECTED]
>  > >
>  > >
>  > >
>  > >
>  > >___
>  > >UPDATED Posting Guidelines:
>  > http://www.groupstudy.com/list/guide.html
>  > >FAQ, list archives, and subscription info:
>  > http://www.groupstudy.com
>  > >Report misconduct and Nondisclosure violations to
>  > [EMAIL PROTECTED]
>  >
>  > Tom Holbrook
>  > Network Engineer
>  > Earthlink
>  >
>  > ___
>  > UPDATED Posting Guidelines:
>  > http://www.groupstudy.com/list/guide.html
>  > FAQ, list archives, and subscription info:
>  > http://www.groupstudy.com
>  > Report misconduct and Nondisclosure violations to
>[EMAIL PROTECTED]
>
>
>__
>Do You Yahoo!?
>Get Yahoo! Mail ñ Free email you can access from anywhere!
>http://mail.yahoo.com/
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Which access-list increase load the most?

2000-07-10 Thread Howard C. Berkowitz


Absolutely true that it depends -- and it depends on even more factors.

Even more important than the pure CPU load is the switching path that 
will be caused by using a given access list (or other feature that 
examines traffic).  This is especially true on high-end routers with 
multiple processors, which can do distributed forwarding and 
filtering.

If, for example, you add a filter to a 7500 and don't watch what you 
are doing, you could jump from DCEF (that doesn't go through the CPU 
at all) to fast switching.  Optimum and both NetFlow and Distributed 
NetFlow would probably have been better options.

Unfortunately, the rules just aren't simple.  The forwarding path for 
a particular feature depends on the IOS release level, possibly 
microcode levels, platform, and interface type.


>It really depends.
>If you have a small size of routing table but huge
>access-list, you put it inbound. If the most of the
>incoming traffic are not routable by your router, they
>pass through the access-list and get dropped, because
>your router has no routes for them. Under this
>circumstance I think I will put the access-list
>outbound to save the CPU of the router.
>So it is really depends on what situation we have.
>
>Thanks
>
>Kent
>
>
>
>--- Tom Holbrook <[EMAIL PROTECTED]> wrote:
>  > Jenny-
>  >
>  > My understanding was  that you should apply them
>  > inbound,
>  > so the traffic doesn't have to go through a route
>  > lookup
>  > process, just to be dropped. Am I missing something
>  > here?
>  >
>  > -Tom
>  > At 05:06 PM 6/27/2000 +1000, you wrote:
>  >
>  >
>  > >It depends (well, what did you expect??)
>  > >As a general rule, you're better off putting the
>  > access list on the outgoing
>  > >interface.  That way you don't waste bandwidth by
>  > transmitting traffic you're
>  > >just going to throw away anyway.
>  > >BUT, your *first* priority is to make sure the
>  > access list does what you want.
>  > >To do this, you may need to use an incoming access
>  > list instead.
>  > >
>  > >Example...
>  > >
>  > >rtrA  rtrB
>  > >
>  > >Let's say you want to prevent telnet traffic from
>  > rtrA to rtrB.
>  > >Assume for now that the link between the routers is
>  > a serial link (int S0 on
>  > >both routers).
>  > >You could put an outgoing access list on S0 on
>  > rtrA:
>  > >rtrA:
>  > >access-list 101 deny tcp any any eq 23
>  > >access-list 101 permit ip any any
>  > >int s 0
>  > >access-class 101 out
>  > >
>  > >This will work fine (assuming my syntax is correct
>  > which I am making no
>  > >guarantees about - I haven't checked it).  You
>  > could put the same access
>  > >list on
>  > >rtrB as an incoming access list instead, and it
>  > would have the same
>  > >effect, but
>  > >your telnet traffic would cross the serial link
>  > before being dropped -
>  > >generally
>  > >not very efficient.
>  > >
>  > >OK, what if it's not a serial link, but an
>  > ethernet?  Time to throw another
>  > >router into the mix...
>  > >
>  > >rtrA  rtrB
>  > >  |
>  > > rtrC
>  > >
>  > >Now, putting that same outgoing access list on rtrA
>  > has a different effect to
>  > >putting it as an incoming access list on rtrB.  If
>  > you put the outgoing access
>  > >list on rtrA, you will not be able to telnet from
>  > rtrA to rtrB *or to
>  > >rtrC*.  If
>  > >you put it as an incoming access list on rtrB, you
>  > will not be able to telnet
>  > >from rtrA to rtrB but you will be able to telnet
>  > from rtrA to rtrC.
>  > >In this case, where should you put the access list?
>  >  That depends
>  > >completely on
>  > >what you are trying to achieve with your access
>  > list.
>  > >
>  > >Regardless of where you are putting your access
>  > list, try to put the lines
>  > >that
>  > >will get the most hits near the top (again, make
>  > sure you don't change the
>  > >meaning of the access list if you change the order
>  > of statements).  The
>  > >lines of
>  > >an access list are checked in order, and once a
>  > match for a packet is
>  > >found, the
>  > >rest of the list isn't checked - so if most of your
>  > packets match the first
>  > >line, rather than the last, your router will spend
>  > less time checking access
>  > >lists.
>  > >
>  > >Here endeth the chapter :-)
>  > >
>  > >JMcL
>  > >
>  > >-- Forwarded by Jenny
>  > Mcleod/NSO/CSDA on 27/06/2000 16:28
>  > >---
>  > >
>  > >
>  > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
>  > 15:59:31
>  > >
>  > >Please respond to "K.FUJIWARA"
>  > <[EMAIL PROTECTED]>
>  > >
>  > >
>  > >To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>  > >cc:(bcc: JENNY MCLEOD/NSO/CSDA)
>  > >Subject:  Which access-list increase load the most?
>  > >
>  > >
>  > >
>  > >Hi, all.
>  > >
>  > >Though the null interface is the best solution for
>  > load in the ruter
>  > >CPU, which
>  > >extended / standard access-list is the best to
>  > reduce the load?
>  > >Extended one's re

Re: Which access-list increase load the most?

2000-07-10 Thread Kent


It really depends. 
If you have a small size of routing table but huge
access-list, you put it inbound. If the most of the
incoming traffic are not routable by your router, they
pass through the access-list and get dropped, because
your router has no routes for them. Under this
circumstance I think I will put the access-list
outbound to save the CPU of the router.
So it is really depends on what situation we have.

Thanks

Kent



--- Tom Holbrook <[EMAIL PROTECTED]> wrote:
> Jenny-
> 
> My understanding was  that you should apply them
> inbound,
> so the traffic doesn't have to go through a route
> lookup
> process, just to be dropped. Am I missing something
> here?
> 
> -Tom
> At 05:06 PM 6/27/2000 +1000, you wrote:
> 
> 
> >It depends (well, what did you expect??)
> >As a general rule, you're better off putting the
> access list on the outgoing
> >interface.  That way you don't waste bandwidth by
> transmitting traffic you're
> >just going to throw away anyway.
> >BUT, your *first* priority is to make sure the
> access list does what you want.
> >To do this, you may need to use an incoming access
> list instead.
> >
> >Example...
> >
> >rtrA  rtrB
> >
> >Let's say you want to prevent telnet traffic from
> rtrA to rtrB.
> >Assume for now that the link between the routers is
> a serial link (int S0 on
> >both routers).
> >You could put an outgoing access list on S0 on
> rtrA:
> >rtrA:
> >access-list 101 deny tcp any any eq 23
> >access-list 101 permit ip any any
> >int s 0
> >access-class 101 out
> >
> >This will work fine (assuming my syntax is correct
> which I am making no
> >guarantees about - I haven't checked it).  You
> could put the same access 
> >list on
> >rtrB as an incoming access list instead, and it
> would have the same 
> >effect, but
> >your telnet traffic would cross the serial link
> before being dropped - 
> >generally
> >not very efficient.
> >
> >OK, what if it's not a serial link, but an
> ethernet?  Time to throw another
> >router into the mix...
> >
> >rtrA  rtrB
> >  |
> > rtrC
> >
> >Now, putting that same outgoing access list on rtrA
> has a different effect to
> >putting it as an incoming access list on rtrB.  If
> you put the outgoing access
> >list on rtrA, you will not be able to telnet from
> rtrA to rtrB *or to 
> >rtrC*.  If
> >you put it as an incoming access list on rtrB, you
> will not be able to telnet
> >from rtrA to rtrB but you will be able to telnet
> from rtrA to rtrC.
> >In this case, where should you put the access list?
>  That depends 
> >completely on
> >what you are trying to achieve with your access
> list.
> >
> >Regardless of where you are putting your access
> list, try to put the lines 
> >that
> >will get the most hits near the top (again, make
> sure you don't change the
> >meaning of the access list if you change the order
> of statements).  The 
> >lines of
> >an access list are checked in order, and once a
> match for a packet is 
> >found, the
> >rest of the list isn't checked - so if most of your
> packets match the first
> >line, rather than the last, your router will spend
> less time checking access
> >lists.
> >
> >Here endeth the chapter :-)
> >
> >JMcL
> >
> >-- Forwarded by Jenny
> Mcleod/NSO/CSDA on 27/06/2000 16:28
> >---
> >
> >
> >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
> 15:59:31
> >
> >Please respond to "K.FUJIWARA"
> <[EMAIL PROTECTED]>
> >
> >
> >To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> >cc:(bcc: JENNY MCLEOD/NSO/CSDA)
> >Subject:  Which access-list increase load the most?
> >
> >
> >
> >Hi, all.
> >
> >Though the null interface is the best solution for
> load in the ruter
> >CPU, which
> >extended / standard access-list is the best to
> reduce the load?
> >Extended one's result may be depends on where it
> will be put or the
> >case, so where
> >should it be configured? Destination?
> >If you have some good examples, please show me.
> >
> >And then, do you know good tools or utility to
> monitor the routers
> >performance on
> >CPU or RAM in real time?
> >
> >Kazuyo Fujiwara
> >MCSE/CCNA
> >Japan Kobe
> >
> >
> >
> >___
> >UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
> >
> >
> >
> >___
> >UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> 
> Tom Holbrook
> Network Engineer
> Earthlink
> 
> ___
> UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to
[EMAIL PRO

Re: Which access-list increase load the most?

2000-07-09 Thread Michael L. Williams


I agree.  Using the scenario that Jenny used:

rtrA <-->rtrB

If you wanted to block telnet traffic from going from RouterA to RouterB,
you could put the access list on the outgoing interface of router A and save
bandwidth across the link between A and B.  However, the traffic attempting
to travel from RouterA to RouterB came from somewhere (unless you are "in"
RouterA attempting to telnet to RouterB).  Assuming the traffic came from
somewhere, our picture would look more like this

NetA (connects to Ethernet0 on RtrA)
|
RtrA---RtrB
|
NetB (connects to Ethernet1 on RtrA)

Since the traffic you want to block is coming from NetworkA or NetworkB, you
could apply that same access list to the two Ethernet interfaces to filter
traffic as it comes in from the two networks.  That way the traffic wouldn't
even enter the router and have to be dealt with.

So, yes, you are correct Tom.  The best bet would be to apply them inbound
on the interfaces where the traffic you want to block is originating.

Mike W.

Tom Holbrook <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Jenny-
>
> My understanding was  that you should apply them inbound,
> so the traffic doesn't have to go through a route lookup
> process, just to be dropped. Am I missing something here?
>
> -Tom
> At 05:06 PM 6/27/2000 +1000, you wrote:
>
>
> >It depends (well, what did you expect??)
> >As a general rule, you're better off putting the access list on the
outgoing
> >interface.  That way you don't waste bandwidth by transmitting traffic
you're
> >just going to throw away anyway.
> >BUT, your *first* priority is to make sure the access list does what you
want.
> >To do this, you may need to use an incoming access list instead.
> >
> >Example...
> >
> >rtrA  rtrB
> >
> >Let's say you want to prevent telnet traffic from rtrA to rtrB.
> >Assume for now that the link between the routers is a serial link (int S0
on
> >both routers).
> >You could put an outgoing access list on S0 on rtrA:
> >rtrA:
> >access-list 101 deny tcp any any eq 23
> >access-list 101 permit ip any any
> >int s 0
> >access-class 101 out
> >
> >This will work fine (assuming my syntax is correct which I am making no
> >guarantees about - I haven't checked it).  You could put the same access
> >list on
> >rtrB as an incoming access list instead, and it would have the same
> >effect, but
> >your telnet traffic would cross the serial link before being dropped -
> >generally
> >not very efficient.
> >
> >OK, what if it's not a serial link, but an ethernet?  Time to throw
another
> >router into the mix...
> >
> >rtrA  rtrB
> >  |
> > rtrC
> >
> >Now, putting that same outgoing access list on rtrA has a different
effect to
> >putting it as an incoming access list on rtrB.  If you put the outgoing
access
> >list on rtrA, you will not be able to telnet from rtrA to rtrB *or to
> >rtrC*.  If
> >you put it as an incoming access list on rtrB, you will not be able to
telnet
> >from rtrA to rtrB but you will be able to telnet from rtrA to rtrC.
> >In this case, where should you put the access list?  That depends
> >completely on
> >what you are trying to achieve with your access list.
> >
> >Regardless of where you are putting your access list, try to put the
lines
> >that
> >will get the most hits near the top (again, make sure you don't change
the
> >meaning of the access list if you change the order of statements).  The
> >lines of
> >an access list are checked in order, and once a match for a packet is
> >found, the
> >rest of the list isn't checked - so if most of your packets match the
first
> >line, rather than the last, your router will spend less time checking
access
> >lists.
> >
> >Here endeth the chapter :-)
> >
> >JMcL
> >
> >-- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000
16:28
> >---
> >
> >
> >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31
> >
> >Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]>
> >
> >
> >To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> >cc:(bcc: JENNY MCLEOD/NSO/CSDA)
> >Subject:  Which access-list increase load the most?
> >
> >
> >
> >Hi, all.
> >
> >Though the null interface is the best solution for load in the ruter
> >CPU, which
> >extended / standard access-list is the best to reduce the load?
> >Extended one's result may be depends on where it will be put or the
> >case, so where
> >should it be configured? Destination?
> >If you have some good examples, please show me.
> >
> >And then, do you know good tools or utility to monitor the routers
> >performance on
> >CPU or RAM in real time?
> >
> >Kazuyo Fujiwara
> >MCSE/CCNA
> >Japan Kobe
> >
> >
> >
> >___
> >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info: http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
> >
> >
> >

Re: Which access-list increase load the most?

2000-07-09 Thread Tom Holbrook


Jenny-

My understanding was  that you should apply them inbound,
so the traffic doesn't have to go through a route lookup
process, just to be dropped. Am I missing something here?

-Tom
At 05:06 PM 6/27/2000 +1000, you wrote:


>It depends (well, what did you expect??)
>As a general rule, you're better off putting the access list on the outgoing
>interface.  That way you don't waste bandwidth by transmitting traffic you're
>just going to throw away anyway.
>BUT, your *first* priority is to make sure the access list does what you want.
>To do this, you may need to use an incoming access list instead.
>
>Example...
>
>rtrA  rtrB
>
>Let's say you want to prevent telnet traffic from rtrA to rtrB.
>Assume for now that the link between the routers is a serial link (int S0 on
>both routers).
>You could put an outgoing access list on S0 on rtrA:
>rtrA:
>access-list 101 deny tcp any any eq 23
>access-list 101 permit ip any any
>int s 0
>access-class 101 out
>
>This will work fine (assuming my syntax is correct which I am making no
>guarantees about - I haven't checked it).  You could put the same access 
>list on
>rtrB as an incoming access list instead, and it would have the same 
>effect, but
>your telnet traffic would cross the serial link before being dropped - 
>generally
>not very efficient.
>
>OK, what if it's not a serial link, but an ethernet?  Time to throw another
>router into the mix...
>
>rtrA  rtrB
>  |
> rtrC
>
>Now, putting that same outgoing access list on rtrA has a different effect to
>putting it as an incoming access list on rtrB.  If you put the outgoing access
>list on rtrA, you will not be able to telnet from rtrA to rtrB *or to 
>rtrC*.  If
>you put it as an incoming access list on rtrB, you will not be able to telnet
>from rtrA to rtrB but you will be able to telnet from rtrA to rtrC.
>In this case, where should you put the access list?  That depends 
>completely on
>what you are trying to achieve with your access list.
>
>Regardless of where you are putting your access list, try to put the lines 
>that
>will get the most hits near the top (again, make sure you don't change the
>meaning of the access list if you change the order of statements).  The 
>lines of
>an access list are checked in order, and once a match for a packet is 
>found, the
>rest of the list isn't checked - so if most of your packets match the first
>line, rather than the last, your router will spend less time checking access
>lists.
>
>Here endeth the chapter :-)
>
>JMcL
>
>-- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000 16:28
>---
>
>
>"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31
>
>Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]>
>
>
>To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>cc:(bcc: JENNY MCLEOD/NSO/CSDA)
>Subject:  Which access-list increase load the most?
>
>
>
>Hi, all.
>
>Though the null interface is the best solution for load in the ruter
>CPU, which
>extended / standard access-list is the best to reduce the load?
>Extended one's result may be depends on where it will be put or the
>case, so where
>should it be configured? Destination?
>If you have some good examples, please show me.
>
>And then, do you know good tools or utility to monitor the routers
>performance on
>CPU or RAM in real time?
>
>Kazuyo Fujiwara
>MCSE/CCNA
>Japan Kobe
>
>
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
>
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Tom Holbrook
Network Engineer
Earthlink

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Which access-list increase load the most?

2000-06-27 Thread Kenny Sallee


That's a good point.  According to some Cisco guys here at networkers,
TurboACLs are even less CP intensive than static routes to null0cool

Kenny

- Original Message -
From: "Erick" <[EMAIL PROTECTED]>
To: "Robert Cabeca" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, June 27, 2000 6:46 PM
Subject: Re: Which access-list increase load the most?


>
> Another thing, you can use the newer TurboACL
> (compiled  ACLs) on higher platforms.
>
> access-list compiled
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
limit/120s/120s6/turboacl.htm
>
> --- Robert Cabeca <[EMAIL PROTECTED]> wrote:
> > Just want to say that this was a great and useful
> > response!!
> > Rob
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > Date: Tuesday, June 27, 2000 19:51
> > Subject: Which access-list increase load the most?
> >
> >
> > >
> > >
> > >
> > >It depends (well, what did you expect??)
> > >As a general rule, you're better off putting the
> > access list on the
> > outgoing
> > >interface.  That way you don't waste bandwidth by
> > transmitting traffic
> > you're
> > >just going to throw away anyway.
> > >BUT, your *first* priority is to make sure the
> > access list does what you
> > want.
> > >To do this, you may need to use an incoming access
> > list instead.
> > >
> > >Example...
> > >
> > >rtrA  rtrB
> > >
> > >Let's say you want to prevent telnet traffic from
> > rtrA to rtrB.
> > >Assume for now that the link between the routers is
> > a serial link (int S0
> > on
> > >both routers).
> > >You could put an outgoing access list on S0 on
> > rtrA:
> > >rtrA:
> > >access-list 101 deny tcp any any eq 23
> > >access-list 101 permit ip any any
> > >int s 0
> > >access-class 101 out
> > >
> > >This will work fine (assuming my access list syntax
> > is correct which I am
> > making
> > >no guarantees about - I haven't checked it).  You
> > could put the same access
> > list
> > >on rtrB as an incoming access list instead, and it
> > would have the same
> > effect,
> > >but your telnet traffic would cross the serial link
> > before being dropped -
> > >generally not very efficient.
> > >
> > >OK, what if it's not a serial link, but an
> > ethernet?  Time to throw another
> > >router into the mix...
> > >
> > >rtrA  rtrB
> > > |
> > >rtrC
> > >
> > >Now, putting that same outgoing access list on rtrA
> > has a different effect
> > to
> > >putting it as an incoming access list on rtrB.  If
> > you put the outgoing
> > access
> > >list on rtrA, you will not be able to telnet from
> > rtrA to rtrB *or to
> > rtrC*.  If
> > >you put it as an incoming access list on rtrB, you
> > will not be able to
> > telnet
> > >from rtrA to rtrB but you will be able to telnet
> > from rtrA to rtrC.
> > >In this case, where should you put the access list?
> >  That depends
> > completely on
> > >what you are trying to achieve with your access
> > list.
> > >
> > >Regardless of where you are putting your access
> > list, try to put the lines
> > that
> > >will get the most hits near the top (again, make
> > sure you don't change the
> > >meaning of the access list if you change the order
> > of statements).  The
> > lines of
> > >an access list are checked in order, and once a
> > match for a packet is
> > found, the
> > >rest of the list isn't checked - so if most of your
> > packets match the first
> > >line, rather than the last, your router will spend
> > less time checking
> > access
> > >lists.
> > >
> > >Here endeth the chapter :-)
> > >
> > >JMcL
> > >
> > >-- Forwarded by Jenny
> > Mcleod/NSO/CSDA on 27/06/2000
> > 16:28
> > >---
> > >
> > >
> > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
> > 15:59:31
> > >
> > >Please respond to "K.FUJIWAR

Re: Which access-list increase load the most?

2000-06-27 Thread Erick



Another thing, you can use the newer TurboACL
(compiled  ACLs) on higher platforms. 

access-list compiled

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s6/turboacl.htm

--- Robert Cabeca <[EMAIL PROTECTED]> wrote:
> Just want to say that this was a great and useful
> response!!
> Rob
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> Date: Tuesday, June 27, 2000 19:51
> Subject: Which access-list increase load the most?
> 
> 
> >
> >
> >
> >It depends (well, what did you expect??)
> >As a general rule, you're better off putting the
> access list on the
> outgoing
> >interface.  That way you don't waste bandwidth by
> transmitting traffic
> you're
> >just going to throw away anyway.
> >BUT, your *first* priority is to make sure the
> access list does what you
> want.
> >To do this, you may need to use an incoming access
> list instead.
> >
> >Example...
> >
> >rtrA  rtrB
> >
> >Let's say you want to prevent telnet traffic from
> rtrA to rtrB.
> >Assume for now that the link between the routers is
> a serial link (int S0
> on
> >both routers).
> >You could put an outgoing access list on S0 on
> rtrA:
> >rtrA:
> >access-list 101 deny tcp any any eq 23
> >access-list 101 permit ip any any
> >int s 0
> >access-class 101 out
> >
> >This will work fine (assuming my access list syntax
> is correct which I am
> making
> >no guarantees about - I haven't checked it).  You
> could put the same access
> list
> >on rtrB as an incoming access list instead, and it
> would have the same
> effect,
> >but your telnet traffic would cross the serial link
> before being dropped -
> >generally not very efficient.
> >
> >OK, what if it's not a serial link, but an
> ethernet?  Time to throw another
> >router into the mix...
> >
> >rtrA  rtrB
> > |
> >rtrC
> >
> >Now, putting that same outgoing access list on rtrA
> has a different effect
> to
> >putting it as an incoming access list on rtrB.  If
> you put the outgoing
> access
> >list on rtrA, you will not be able to telnet from
> rtrA to rtrB *or to
> rtrC*.  If
> >you put it as an incoming access list on rtrB, you
> will not be able to
> telnet
> >from rtrA to rtrB but you will be able to telnet
> from rtrA to rtrC.
> >In this case, where should you put the access list?
>  That depends
> completely on
> >what you are trying to achieve with your access
> list.
> >
> >Regardless of where you are putting your access
> list, try to put the lines
> that
> >will get the most hits near the top (again, make
> sure you don't change the
> >meaning of the access list if you change the order
> of statements).  The
> lines of
> >an access list are checked in order, and once a
> match for a packet is
> found, the
> >rest of the list isn't checked - so if most of your
> packets match the first
> >line, rather than the last, your router will spend
> less time checking
> access
> >lists.
> >
> >Here endeth the chapter :-)
> >
> >JMcL
> >
> >-- Forwarded by Jenny
> Mcleod/NSO/CSDA on 27/06/2000
> 16:28
> >---
> >
> >
> >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000
> 15:59:31
> >
> >Please respond to "K.FUJIWARA"
> <[EMAIL PROTECTED]>
> >
> >
> >To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> >cc:(bcc: JENNY MCLEOD/NSO/CSDA)
> >Subject:  Which access-list increase load the most?
> >
> >
> >
> >Hi, all.
> >
> >Though the null interface is the best solution for
> load in the ruter
> >CPU, which
> >extended / standard access-list is the best to
> reduce the load?
> >Extended one's result may be depends on where it
> will be put or the
> >case, so where
> >should it be configured? Destination?
> >If you have some good examples, please show me.
> >
> >And then, do you know good tools or utility to
> monitor the routers
> >performance on
> >CPU or RAM in real time?
> >
> >Kazuyo Fujiwara
> >MCSE/CCNA
> >Japan Kobe
> >
> >
> >
> >___
> >UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
> >
> >
> >
> >
> >
> >
> >___
> >UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
> 
> ___
> UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


=
- Erick B. | erickbe(a)yahoo.com | http://berk.dhs.org

__
Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anyw

Re: Which access-list increase load the most?

2000-06-27 Thread Robert Cabeca


Just want to say that this was a great and useful response!!
Rob

-Original Message-
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, June 27, 2000 19:51
Subject: Which access-list increase load the most?


>
>
>
>It depends (well, what did you expect??)
>As a general rule, you're better off putting the access list on the
outgoing
>interface.  That way you don't waste bandwidth by transmitting traffic
you're
>just going to throw away anyway.
>BUT, your *first* priority is to make sure the access list does what you
want.
>To do this, you may need to use an incoming access list instead.
>
>Example...
>
>rtrA  rtrB
>
>Let's say you want to prevent telnet traffic from rtrA to rtrB.
>Assume for now that the link between the routers is a serial link (int S0
on
>both routers).
>You could put an outgoing access list on S0 on rtrA:
>rtrA:
>access-list 101 deny tcp any any eq 23
>access-list 101 permit ip any any
>int s 0
>access-class 101 out
>
>This will work fine (assuming my access list syntax is correct which I am
making
>no guarantees about - I haven't checked it).  You could put the same access
list
>on rtrB as an incoming access list instead, and it would have the same
effect,
>but your telnet traffic would cross the serial link before being dropped -
>generally not very efficient.
>
>OK, what if it's not a serial link, but an ethernet?  Time to throw another
>router into the mix...
>
>rtrA  rtrB
> |
>rtrC
>
>Now, putting that same outgoing access list on rtrA has a different effect
to
>putting it as an incoming access list on rtrB.  If you put the outgoing
access
>list on rtrA, you will not be able to telnet from rtrA to rtrB *or to
rtrC*.  If
>you put it as an incoming access list on rtrB, you will not be able to
telnet
>from rtrA to rtrB but you will be able to telnet from rtrA to rtrC.
>In this case, where should you put the access list?  That depends
completely on
>what you are trying to achieve with your access list.
>
>Regardless of where you are putting your access list, try to put the lines
that
>will get the most hits near the top (again, make sure you don't change the
>meaning of the access list if you change the order of statements).  The
lines of
>an access list are checked in order, and once a match for a packet is
found, the
>rest of the list isn't checked - so if most of your packets match the first
>line, rather than the last, your router will spend less time checking
access
>lists.
>
>Here endeth the chapter :-)
>
>JMcL
>
>-- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000
16:28
>---
>
>
>"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31
>
>Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]>
>
>
>To:   "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>cc:(bcc: JENNY MCLEOD/NSO/CSDA)
>Subject:  Which access-list increase load the most?
>
>
>
>Hi, all.
>
>Though the null interface is the best solution for load in the ruter
>CPU, which
>extended / standard access-list is the best to reduce the load?
>Extended one's result may be depends on where it will be put or the
>case, so where
>should it be configured? Destination?
>If you have some good examples, please show me.
>
>And then, do you know good tools or utility to monitor the routers
>performance on
>CPU or RAM in real time?
>
>Kazuyo Fujiwara
>MCSE/CCNA
>Japan Kobe
>
>
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
>
>
>
>
>
>___
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Which access-list increase load the most?

Re: Which access-list increase load the most?

RE: Which access-list increase load the most?

Re: Which access-list increase load the most?

Re: Which access-list increase load the most?

Re: Which access-list increase load the most?

Re: Which access-list increase load the most?

Re: Which access-list increase load the most?

Re: Which access-list increase load the most?

Re: Which access-list increase load the most?

10 matches

Site Navigation

Mail list logo

Footer information