RE: Which access-list increase load the most?
Remember mrtg does its monitoring with snmp (I suppose cricket does the same, I never used it though). This means you can monitor everything available on that router with snmp, memory, blocks, errors, processes, temperature, lots of things. Just get yourself a free MIB browser if needed and take a look - you'll be surprised at the wealth of data. For example one interesting thing I'd like like to try asap on a heavily access-listed router could be a graph with (sum of inbound bytes on all interfaces) - (sum of outbound bytes on all interfaces). Or, for the temperature thing (not available on my routers unfortunately), what about cpuload/(current temperature - "base" temperature)*100 ? Remember you can mix different devices... in fact I'm trying to get a APC UPS with environmental monitor (instead of another one) for exact this reason :-) Heiko -- PREVINET S.p.A.[EMAIL PROTECTED] -- Via Marocchesa, 14 ph x39-041-5907073 -- I-31021 Mogliano V.to (TV) fax x39-041-5907025 -- ITALY >-Original Message- >From: Emilia Lambros [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, July 11, 2000 5:43 AM >To: [EMAIL PROTECTED] >Subject: RE: Which access-list increase load the most? > > >In response to the other part of the question, I know Cricket >(http://cricket.sourceforge.net/) does CPU/Memory monitoring >and I MRTG does >load, but I'm not sure about memory .. you'd probably have to >check it/play >with it for a while, but I have seen some pretty weird stuff >done with MRTG >so you never know until you give it a go. > > > >> > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 >> > 15:59:31 >> > > >> > >Please respond to "K.FUJIWARA" >> > <[EMAIL PROTECTED]> >> > > >> > > >> > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >> > >cc:(bcc: JENNY MCLEOD/NSO/CSDA) >> > >Subject: Which access-list increase load the most? >> > > >> > > >> > > >> > >Hi, all. >> > > >> > >Though the null interface is the best solution for >> > load in the ruter >> > >CPU, which >> > >extended / standard access-list is the best to >> > reduce the load? >> > >Extended one's result may be depends on where it >> > will be put or the >> > >case, so where >> > >should it be configured? Destination? >> > >If you have some good examples, please show me. >> > > >> > >And then, do you know good tools or utility to >> > monitor the routers >> > >performance on >> > >CPU or RAM in real time? >> > > >> > >Kazuyo Fujiwara >> > >MCSE/CCNA >> > >Japan Kobe >> > > >> > > >> > > >> > >___ >> > >UPDATED Posting Guidelines: >> > http://www.groupstudy.com/list/guide.html >> > >FAQ, list archives, and subscription info: >> > http://www.groupstudy.com >> > >Report misconduct and Nondisclosure violations to >> > [EMAIL PROTECTED] >> > > >> > > >> > > >> > > >> > >___ >> > >UPDATED Posting Guidelines: >> > http://www.groupstudy.com/list/guide.html >> > >FAQ, list archives, and subscription info: >> > http://www.groupstudy.com >> > >Report misconduct and Nondisclosure violations to >> > [EMAIL PROTECTED] >> > >> > Tom Holbrook >> > Network Engineer >> > Earthlink >> > >> > ___ >> > UPDATED Posting Guidelines: >> > http://www.groupstudy.com/list/guide.html >> > FAQ, list archives, and subscription info: >> > http://www.groupstudy.com >> > Report misconduct and Nondisclosure violations to >>[EMAIL PROTECTED] >> >> >>__ >>Do You Yahoo!? >>Get Yahoo! Mail ñ Free email you can access from anywhere! >>http://mail.yahoo.com/ >> >>___ >>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >>FAQ, list archives, and subscription info: http://www.groupstudy.com >>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Which access-list increase load the most?
MRTG can do CPU/Memory. You just need to find the correct MIB and set it up MRTG. Start looking under 1.3.6.1.4.1.9.local.system. I believe the CPU mib is around .56-58 under cisco.local.system but I am doing this from memory so I may be way off. Look in the Cisco doc set or use snmpwalk. Paul Borghese -Original Message- From: Emilia Lambros <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Monday, July 10, 2000 11:44 PM Subject: RE: Which access-list increase load the most? >In response to the other part of the question, I know Cricket >(http://cricket.sourceforge.net/) does CPU/Memory monitoring and I MRTG does >load, but I'm not sure about memory .. you'd probably have to check it/play >with it for a while, but I have seen some pretty weird stuff done with MRTG >so you never know until you give it a go. > > > >> > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 >> > 15:59:31 >> > > >> > >Please respond to "K.FUJIWARA" >> > <[EMAIL PROTECTED]> >> > > >> > > >> > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >> > >cc:(bcc: JENNY MCLEOD/NSO/CSDA) >> > >Subject: Which access-list increase load the most? >> > > >> > > >> > > >> > >Hi, all. >> > > >> > >Though the null interface is the best solution for >> > load in the ruter >> > >CPU, which >> > >extended / standard access-list is the best to >> > reduce the load? >> > >Extended one's result may be depends on where it >> > will be put or the >> > >case, so where >> > >should it be configured? Destination? >> > >If you have some good examples, please show me. >> > > >> > >And then, do you know good tools or utility to >> > monitor the routers >> > >performance on >> > >CPU or RAM in real time? >> > > >> > >Kazuyo Fujiwara >> > >MCSE/CCNA >> > >Japan Kobe >> > > >> > > >> > > >> > >___ >> > >UPDATED Posting Guidelines: >> > http://www.groupstudy.com/list/guide.html >> > >FAQ, list archives, and subscription info: >> > http://www.groupstudy.com >> > >Report misconduct and Nondisclosure violations to >> > [EMAIL PROTECTED] >> > > >> > > >> > > >> > > >> > >___ >> > >UPDATED Posting Guidelines: >> > http://www.groupstudy.com/list/guide.html >> > >FAQ, list archives, and subscription info: >> > http://www.groupstudy.com >> > >Report misconduct and Nondisclosure violations to >> > [EMAIL PROTECTED] >> > >> > Tom Holbrook >> > Network Engineer >> > Earthlink >> > >> > ___ >> > UPDATED Posting Guidelines: >> > http://www.groupstudy.com/list/guide.html >> > FAQ, list archives, and subscription info: >> > http://www.groupstudy.com >> > Report misconduct and Nondisclosure violations to >>[EMAIL PROTECTED] >> >> >>__ >>Do You Yahoo!? >>Get Yahoo! Mail ñ Free email you can access from anywhere! >>http://mail.yahoo.com/ >> >>___ >>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >>FAQ, list archives, and subscription info: http://www.groupstudy.com >>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Which access-list increase load the most?
In response to the other part of the question, I know Cricket (http://cricket.sourceforge.net/) does CPU/Memory monitoring and I MRTG does load, but I'm not sure about memory .. you'd probably have to check it/play with it for a while, but I have seen some pretty weird stuff done with MRTG so you never know until you give it a go. > > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 > > 15:59:31 > > > > > >Please respond to "K.FUJIWARA" > > <[EMAIL PROTECTED]> > > > > > > > > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > > >cc:(bcc: JENNY MCLEOD/NSO/CSDA) > > >Subject: Which access-list increase load the most? > > > > > > > > > > > >Hi, all. > > > > > >Though the null interface is the best solution for > > load in the ruter > > >CPU, which > > >extended / standard access-list is the best to > > reduce the load? > > >Extended one's result may be depends on where it > > will be put or the > > >case, so where > > >should it be configured? Destination? > > >If you have some good examples, please show me. > > > > > >And then, do you know good tools or utility to > > monitor the routers > > >performance on > > >CPU or RAM in real time? > > > > > >Kazuyo Fujiwara > > >MCSE/CCNA > > >Japan Kobe > > > > > > > > > > > >___ > > >UPDATED Posting Guidelines: > > http://www.groupstudy.com/list/guide.html > > >FAQ, list archives, and subscription info: > > http://www.groupstudy.com > > >Report misconduct and Nondisclosure violations to > > [EMAIL PROTECTED] > > > > > > > > > > > > > > >___ > > >UPDATED Posting Guidelines: > > http://www.groupstudy.com/list/guide.html > > >FAQ, list archives, and subscription info: > > http://www.groupstudy.com > > >Report misconduct and Nondisclosure violations to > > [EMAIL PROTECTED] > > > > Tom Holbrook > > Network Engineer > > Earthlink > > > > ___ > > UPDATED Posting Guidelines: > > http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to >[EMAIL PROTECTED] > > >__ >Do You Yahoo!? >Get Yahoo! Mail ñ Free email you can access from anywhere! >http://mail.yahoo.com/ > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Which access-list increase load the most?
Absolutely true that it depends -- and it depends on even more factors. Even more important than the pure CPU load is the switching path that will be caused by using a given access list (or other feature that examines traffic). This is especially true on high-end routers with multiple processors, which can do distributed forwarding and filtering. If, for example, you add a filter to a 7500 and don't watch what you are doing, you could jump from DCEF (that doesn't go through the CPU at all) to fast switching. Optimum and both NetFlow and Distributed NetFlow would probably have been better options. Unfortunately, the rules just aren't simple. The forwarding path for a particular feature depends on the IOS release level, possibly microcode levels, platform, and interface type. >It really depends. >If you have a small size of routing table but huge >access-list, you put it inbound. If the most of the >incoming traffic are not routable by your router, they >pass through the access-list and get dropped, because >your router has no routes for them. Under this >circumstance I think I will put the access-list >outbound to save the CPU of the router. >So it is really depends on what situation we have. > >Thanks > >Kent > > > >--- Tom Holbrook <[EMAIL PROTECTED]> wrote: > > Jenny- > > > > My understanding was that you should apply them > > inbound, > > so the traffic doesn't have to go through a route > > lookup > > process, just to be dropped. Am I missing something > > here? > > > > -Tom > > At 05:06 PM 6/27/2000 +1000, you wrote: > > > > > > >It depends (well, what did you expect??) > > >As a general rule, you're better off putting the > > access list on the outgoing > > >interface. That way you don't waste bandwidth by > > transmitting traffic you're > > >just going to throw away anyway. > > >BUT, your *first* priority is to make sure the > > access list does what you want. > > >To do this, you may need to use an incoming access > > list instead. > > > > > >Example... > > > > > >rtrA rtrB > > > > > >Let's say you want to prevent telnet traffic from > > rtrA to rtrB. > > >Assume for now that the link between the routers is > > a serial link (int S0 on > > >both routers). > > >You could put an outgoing access list on S0 on > > rtrA: > > >rtrA: > > >access-list 101 deny tcp any any eq 23 > > >access-list 101 permit ip any any > > >int s 0 > > >access-class 101 out > > > > > >This will work fine (assuming my syntax is correct > > which I am making no > > >guarantees about - I haven't checked it). You > > could put the same access > > >list on > > >rtrB as an incoming access list instead, and it > > would have the same > > >effect, but > > >your telnet traffic would cross the serial link > > before being dropped - > > >generally > > >not very efficient. > > > > > >OK, what if it's not a serial link, but an > > ethernet? Time to throw another > > >router into the mix... > > > > > >rtrA rtrB > > > | > > > rtrC > > > > > >Now, putting that same outgoing access list on rtrA > > has a different effect to > > >putting it as an incoming access list on rtrB. If > > you put the outgoing access > > >list on rtrA, you will not be able to telnet from > > rtrA to rtrB *or to > > >rtrC*. If > > >you put it as an incoming access list on rtrB, you > > will not be able to telnet > > >from rtrA to rtrB but you will be able to telnet > > from rtrA to rtrC. > > >In this case, where should you put the access list? > > That depends > > >completely on > > >what you are trying to achieve with your access > > list. > > > > > >Regardless of where you are putting your access > > list, try to put the lines > > >that > > >will get the most hits near the top (again, make > > sure you don't change the > > >meaning of the access list if you change the order > > of statements). The > > >lines of > > >an access list are checked in order, and once a > > match for a packet is > > >found, the > > >rest of the list isn't checked - so if most of your > > packets match the first > > >line, rather than the last, your router will spend > > less time checking access > > >lists. > > > > > >Here endeth the chapter :-) > > > > > >JMcL > > > > > >-- Forwarded by Jenny > > Mcleod/NSO/CSDA on 27/06/2000 16:28 > > >--- > > > > > > > > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 > > 15:59:31 > > > > > >Please respond to "K.FUJIWARA" > > <[EMAIL PROTECTED]> > > > > > > > > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > > >cc:(bcc: JENNY MCLEOD/NSO/CSDA) > > >Subject: Which access-list increase load the most? > > > > > > > > > > > >Hi, all. > > > > > >Though the null interface is the best solution for > > load in the ruter > > >CPU, which > > >extended / standard access-list is the best to > > reduce the load? > > >Extended one's re
Re: Which access-list increase load the most?
It really depends. If you have a small size of routing table but huge access-list, you put it inbound. If the most of the incoming traffic are not routable by your router, they pass through the access-list and get dropped, because your router has no routes for them. Under this circumstance I think I will put the access-list outbound to save the CPU of the router. So it is really depends on what situation we have. Thanks Kent --- Tom Holbrook <[EMAIL PROTECTED]> wrote: > Jenny- > > My understanding was that you should apply them > inbound, > so the traffic doesn't have to go through a route > lookup > process, just to be dropped. Am I missing something > here? > > -Tom > At 05:06 PM 6/27/2000 +1000, you wrote: > > > >It depends (well, what did you expect??) > >As a general rule, you're better off putting the > access list on the outgoing > >interface. That way you don't waste bandwidth by > transmitting traffic you're > >just going to throw away anyway. > >BUT, your *first* priority is to make sure the > access list does what you want. > >To do this, you may need to use an incoming access > list instead. > > > >Example... > > > >rtrA rtrB > > > >Let's say you want to prevent telnet traffic from > rtrA to rtrB. > >Assume for now that the link between the routers is > a serial link (int S0 on > >both routers). > >You could put an outgoing access list on S0 on > rtrA: > >rtrA: > >access-list 101 deny tcp any any eq 23 > >access-list 101 permit ip any any > >int s 0 > >access-class 101 out > > > >This will work fine (assuming my syntax is correct > which I am making no > >guarantees about - I haven't checked it). You > could put the same access > >list on > >rtrB as an incoming access list instead, and it > would have the same > >effect, but > >your telnet traffic would cross the serial link > before being dropped - > >generally > >not very efficient. > > > >OK, what if it's not a serial link, but an > ethernet? Time to throw another > >router into the mix... > > > >rtrA rtrB > > | > > rtrC > > > >Now, putting that same outgoing access list on rtrA > has a different effect to > >putting it as an incoming access list on rtrB. If > you put the outgoing access > >list on rtrA, you will not be able to telnet from > rtrA to rtrB *or to > >rtrC*. If > >you put it as an incoming access list on rtrB, you > will not be able to telnet > >from rtrA to rtrB but you will be able to telnet > from rtrA to rtrC. > >In this case, where should you put the access list? > That depends > >completely on > >what you are trying to achieve with your access > list. > > > >Regardless of where you are putting your access > list, try to put the lines > >that > >will get the most hits near the top (again, make > sure you don't change the > >meaning of the access list if you change the order > of statements). The > >lines of > >an access list are checked in order, and once a > match for a packet is > >found, the > >rest of the list isn't checked - so if most of your > packets match the first > >line, rather than the last, your router will spend > less time checking access > >lists. > > > >Here endeth the chapter :-) > > > >JMcL > > > >-- Forwarded by Jenny > Mcleod/NSO/CSDA on 27/06/2000 16:28 > >--- > > > > > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 > 15:59:31 > > > >Please respond to "K.FUJIWARA" > <[EMAIL PROTECTED]> > > > > > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > >cc:(bcc: JENNY MCLEOD/NSO/CSDA) > >Subject: Which access-list increase load the most? > > > > > > > >Hi, all. > > > >Though the null interface is the best solution for > load in the ruter > >CPU, which > >extended / standard access-list is the best to > reduce the load? > >Extended one's result may be depends on where it > will be put or the > >case, so where > >should it be configured? Destination? > >If you have some good examples, please show me. > > > >And then, do you know good tools or utility to > monitor the routers > >performance on > >CPU or RAM in real time? > > > >Kazuyo Fujiwara > >MCSE/CCNA > >Japan Kobe > > > > > > > >___ > >UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > >FAQ, list archives, and subscription info: > http://www.groupstudy.com > >Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > > > > > > >___ > >UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > >FAQ, list archives, and subscription info: > http://www.groupstudy.com > >Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > Tom Holbrook > Network Engineer > Earthlink > > ___ > UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: > http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PRO
Re: Which access-list increase load the most?
I agree. Using the scenario that Jenny used: rtrA <-->rtrB If you wanted to block telnet traffic from going from RouterA to RouterB, you could put the access list on the outgoing interface of router A and save bandwidth across the link between A and B. However, the traffic attempting to travel from RouterA to RouterB came from somewhere (unless you are "in" RouterA attempting to telnet to RouterB). Assuming the traffic came from somewhere, our picture would look more like this NetA (connects to Ethernet0 on RtrA) | RtrA---RtrB | NetB (connects to Ethernet1 on RtrA) Since the traffic you want to block is coming from NetworkA or NetworkB, you could apply that same access list to the two Ethernet interfaces to filter traffic as it comes in from the two networks. That way the traffic wouldn't even enter the router and have to be dealt with. So, yes, you are correct Tom. The best bet would be to apply them inbound on the interfaces where the traffic you want to block is originating. Mike W. Tom Holbrook <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Jenny- > > My understanding was that you should apply them inbound, > so the traffic doesn't have to go through a route lookup > process, just to be dropped. Am I missing something here? > > -Tom > At 05:06 PM 6/27/2000 +1000, you wrote: > > > >It depends (well, what did you expect??) > >As a general rule, you're better off putting the access list on the outgoing > >interface. That way you don't waste bandwidth by transmitting traffic you're > >just going to throw away anyway. > >BUT, your *first* priority is to make sure the access list does what you want. > >To do this, you may need to use an incoming access list instead. > > > >Example... > > > >rtrA rtrB > > > >Let's say you want to prevent telnet traffic from rtrA to rtrB. > >Assume for now that the link between the routers is a serial link (int S0 on > >both routers). > >You could put an outgoing access list on S0 on rtrA: > >rtrA: > >access-list 101 deny tcp any any eq 23 > >access-list 101 permit ip any any > >int s 0 > >access-class 101 out > > > >This will work fine (assuming my syntax is correct which I am making no > >guarantees about - I haven't checked it). You could put the same access > >list on > >rtrB as an incoming access list instead, and it would have the same > >effect, but > >your telnet traffic would cross the serial link before being dropped - > >generally > >not very efficient. > > > >OK, what if it's not a serial link, but an ethernet? Time to throw another > >router into the mix... > > > >rtrA rtrB > > | > > rtrC > > > >Now, putting that same outgoing access list on rtrA has a different effect to > >putting it as an incoming access list on rtrB. If you put the outgoing access > >list on rtrA, you will not be able to telnet from rtrA to rtrB *or to > >rtrC*. If > >you put it as an incoming access list on rtrB, you will not be able to telnet > >from rtrA to rtrB but you will be able to telnet from rtrA to rtrC. > >In this case, where should you put the access list? That depends > >completely on > >what you are trying to achieve with your access list. > > > >Regardless of where you are putting your access list, try to put the lines > >that > >will get the most hits near the top (again, make sure you don't change the > >meaning of the access list if you change the order of statements). The > >lines of > >an access list are checked in order, and once a match for a packet is > >found, the > >rest of the list isn't checked - so if most of your packets match the first > >line, rather than the last, your router will spend less time checking access > >lists. > > > >Here endeth the chapter :-) > > > >JMcL > > > >-- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000 16:28 > >--- > > > > > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31 > > > >Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]> > > > > > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > >cc:(bcc: JENNY MCLEOD/NSO/CSDA) > >Subject: Which access-list increase load the most? > > > > > > > >Hi, all. > > > >Though the null interface is the best solution for load in the ruter > >CPU, which > >extended / standard access-list is the best to reduce the load? > >Extended one's result may be depends on where it will be put or the > >case, so where > >should it be configured? Destination? > >If you have some good examples, please show me. > > > >And then, do you know good tools or utility to monitor the routers > >performance on > >CPU or RAM in real time? > > > >Kazuyo Fujiwara > >MCSE/CCNA > >Japan Kobe > > > > > > > >___ > >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > >FAQ, list archives, and subscription info: http://www.groupstudy.com > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > > > >
Re: Which access-list increase load the most?
Jenny- My understanding was that you should apply them inbound, so the traffic doesn't have to go through a route lookup process, just to be dropped. Am I missing something here? -Tom At 05:06 PM 6/27/2000 +1000, you wrote: >It depends (well, what did you expect??) >As a general rule, you're better off putting the access list on the outgoing >interface. That way you don't waste bandwidth by transmitting traffic you're >just going to throw away anyway. >BUT, your *first* priority is to make sure the access list does what you want. >To do this, you may need to use an incoming access list instead. > >Example... > >rtrA rtrB > >Let's say you want to prevent telnet traffic from rtrA to rtrB. >Assume for now that the link between the routers is a serial link (int S0 on >both routers). >You could put an outgoing access list on S0 on rtrA: >rtrA: >access-list 101 deny tcp any any eq 23 >access-list 101 permit ip any any >int s 0 >access-class 101 out > >This will work fine (assuming my syntax is correct which I am making no >guarantees about - I haven't checked it). You could put the same access >list on >rtrB as an incoming access list instead, and it would have the same >effect, but >your telnet traffic would cross the serial link before being dropped - >generally >not very efficient. > >OK, what if it's not a serial link, but an ethernet? Time to throw another >router into the mix... > >rtrA rtrB > | > rtrC > >Now, putting that same outgoing access list on rtrA has a different effect to >putting it as an incoming access list on rtrB. If you put the outgoing access >list on rtrA, you will not be able to telnet from rtrA to rtrB *or to >rtrC*. If >you put it as an incoming access list on rtrB, you will not be able to telnet >from rtrA to rtrB but you will be able to telnet from rtrA to rtrC. >In this case, where should you put the access list? That depends >completely on >what you are trying to achieve with your access list. > >Regardless of where you are putting your access list, try to put the lines >that >will get the most hits near the top (again, make sure you don't change the >meaning of the access list if you change the order of statements). The >lines of >an access list are checked in order, and once a match for a packet is >found, the >rest of the list isn't checked - so if most of your packets match the first >line, rather than the last, your router will spend less time checking access >lists. > >Here endeth the chapter :-) > >JMcL > >-- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000 16:28 >--- > > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31 > >Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]> > > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >cc:(bcc: JENNY MCLEOD/NSO/CSDA) >Subject: Which access-list increase load the most? > > > >Hi, all. > >Though the null interface is the best solution for load in the ruter >CPU, which >extended / standard access-list is the best to reduce the load? >Extended one's result may be depends on where it will be put or the >case, so where >should it be configured? Destination? >If you have some good examples, please show me. > >And then, do you know good tools or utility to monitor the routers >performance on >CPU or RAM in real time? > >Kazuyo Fujiwara >MCSE/CCNA >Japan Kobe > > > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Tom Holbrook Network Engineer Earthlink ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Which access-list increase load the most?
That's a good point. According to some Cisco guys here at networkers, TurboACLs are even less CP intensive than static routes to null0cool Kenny - Original Message - From: "Erick" <[EMAIL PROTECTED]> To: "Robert Cabeca" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, June 27, 2000 6:46 PM Subject: Re: Which access-list increase load the most? > > Another thing, you can use the newer TurboACL > (compiled ACLs) on higher platforms. > > access-list compiled > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 limit/120s/120s6/turboacl.htm > > --- Robert Cabeca <[EMAIL PROTECTED]> wrote: > > Just want to say that this was a great and useful > > response!! > > Rob > > > > -Original Message- > > From: [EMAIL PROTECTED] > > <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > > Date: Tuesday, June 27, 2000 19:51 > > Subject: Which access-list increase load the most? > > > > > > > > > > > > > > > >It depends (well, what did you expect??) > > >As a general rule, you're better off putting the > > access list on the > > outgoing > > >interface. That way you don't waste bandwidth by > > transmitting traffic > > you're > > >just going to throw away anyway. > > >BUT, your *first* priority is to make sure the > > access list does what you > > want. > > >To do this, you may need to use an incoming access > > list instead. > > > > > >Example... > > > > > >rtrA rtrB > > > > > >Let's say you want to prevent telnet traffic from > > rtrA to rtrB. > > >Assume for now that the link between the routers is > > a serial link (int S0 > > on > > >both routers). > > >You could put an outgoing access list on S0 on > > rtrA: > > >rtrA: > > >access-list 101 deny tcp any any eq 23 > > >access-list 101 permit ip any any > > >int s 0 > > >access-class 101 out > > > > > >This will work fine (assuming my access list syntax > > is correct which I am > > making > > >no guarantees about - I haven't checked it). You > > could put the same access > > list > > >on rtrB as an incoming access list instead, and it > > would have the same > > effect, > > >but your telnet traffic would cross the serial link > > before being dropped - > > >generally not very efficient. > > > > > >OK, what if it's not a serial link, but an > > ethernet? Time to throw another > > >router into the mix... > > > > > >rtrA rtrB > > > | > > >rtrC > > > > > >Now, putting that same outgoing access list on rtrA > > has a different effect > > to > > >putting it as an incoming access list on rtrB. If > > you put the outgoing > > access > > >list on rtrA, you will not be able to telnet from > > rtrA to rtrB *or to > > rtrC*. If > > >you put it as an incoming access list on rtrB, you > > will not be able to > > telnet > > >from rtrA to rtrB but you will be able to telnet > > from rtrA to rtrC. > > >In this case, where should you put the access list? > > That depends > > completely on > > >what you are trying to achieve with your access > > list. > > > > > >Regardless of where you are putting your access > > list, try to put the lines > > that > > >will get the most hits near the top (again, make > > sure you don't change the > > >meaning of the access list if you change the order > > of statements). The > > lines of > > >an access list are checked in order, and once a > > match for a packet is > > found, the > > >rest of the list isn't checked - so if most of your > > packets match the first > > >line, rather than the last, your router will spend > > less time checking > > access > > >lists. > > > > > >Here endeth the chapter :-) > > > > > >JMcL > > > > > >-- Forwarded by Jenny > > Mcleod/NSO/CSDA on 27/06/2000 > > 16:28 > > >--- > > > > > > > > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 > > 15:59:31 > > > > > >Please respond to "K.FUJIWAR
Re: Which access-list increase load the most?
Another thing, you can use the newer TurboACL (compiled ACLs) on higher platforms. access-list compiled http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s6/turboacl.htm --- Robert Cabeca <[EMAIL PROTECTED]> wrote: > Just want to say that this was a great and useful > response!! > Rob > > -Original Message- > From: [EMAIL PROTECTED] > <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Date: Tuesday, June 27, 2000 19:51 > Subject: Which access-list increase load the most? > > > > > > > > > >It depends (well, what did you expect??) > >As a general rule, you're better off putting the > access list on the > outgoing > >interface. That way you don't waste bandwidth by > transmitting traffic > you're > >just going to throw away anyway. > >BUT, your *first* priority is to make sure the > access list does what you > want. > >To do this, you may need to use an incoming access > list instead. > > > >Example... > > > >rtrA rtrB > > > >Let's say you want to prevent telnet traffic from > rtrA to rtrB. > >Assume for now that the link between the routers is > a serial link (int S0 > on > >both routers). > >You could put an outgoing access list on S0 on > rtrA: > >rtrA: > >access-list 101 deny tcp any any eq 23 > >access-list 101 permit ip any any > >int s 0 > >access-class 101 out > > > >This will work fine (assuming my access list syntax > is correct which I am > making > >no guarantees about - I haven't checked it). You > could put the same access > list > >on rtrB as an incoming access list instead, and it > would have the same > effect, > >but your telnet traffic would cross the serial link > before being dropped - > >generally not very efficient. > > > >OK, what if it's not a serial link, but an > ethernet? Time to throw another > >router into the mix... > > > >rtrA rtrB > > | > >rtrC > > > >Now, putting that same outgoing access list on rtrA > has a different effect > to > >putting it as an incoming access list on rtrB. If > you put the outgoing > access > >list on rtrA, you will not be able to telnet from > rtrA to rtrB *or to > rtrC*. If > >you put it as an incoming access list on rtrB, you > will not be able to > telnet > >from rtrA to rtrB but you will be able to telnet > from rtrA to rtrC. > >In this case, where should you put the access list? > That depends > completely on > >what you are trying to achieve with your access > list. > > > >Regardless of where you are putting your access > list, try to put the lines > that > >will get the most hits near the top (again, make > sure you don't change the > >meaning of the access list if you change the order > of statements). The > lines of > >an access list are checked in order, and once a > match for a packet is > found, the > >rest of the list isn't checked - so if most of your > packets match the first > >line, rather than the last, your router will spend > less time checking > access > >lists. > > > >Here endeth the chapter :-) > > > >JMcL > > > >-- Forwarded by Jenny > Mcleod/NSO/CSDA on 27/06/2000 > 16:28 > >--- > > > > > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 > 15:59:31 > > > >Please respond to "K.FUJIWARA" > <[EMAIL PROTECTED]> > > > > > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > >cc:(bcc: JENNY MCLEOD/NSO/CSDA) > >Subject: Which access-list increase load the most? > > > > > > > >Hi, all. > > > >Though the null interface is the best solution for > load in the ruter > >CPU, which > >extended / standard access-list is the best to > reduce the load? > >Extended one's result may be depends on where it > will be put or the > >case, so where > >should it be configured? Destination? > >If you have some good examples, please show me. > > > >And then, do you know good tools or utility to > monitor the routers > >performance on > >CPU or RAM in real time? > > > >Kazuyo Fujiwara > >MCSE/CCNA > >Japan Kobe > > > > > > > >___ > >UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > >FAQ, list archives, and subscription info: > http://www.groupstudy.com > >Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > > > > > > > > > > > > >___ > >UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > >FAQ, list archives, and subscription info: > http://www.groupstudy.com > >Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > ___ > UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: > http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = - Erick B. | erickbe(a)yahoo.com | http://berk.dhs.org __ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anyw
Re: Which access-list increase load the most?
Just want to say that this was a great and useful response!! Rob -Original Message- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Tuesday, June 27, 2000 19:51 Subject: Which access-list increase load the most? > > > >It depends (well, what did you expect??) >As a general rule, you're better off putting the access list on the outgoing >interface. That way you don't waste bandwidth by transmitting traffic you're >just going to throw away anyway. >BUT, your *first* priority is to make sure the access list does what you want. >To do this, you may need to use an incoming access list instead. > >Example... > >rtrA rtrB > >Let's say you want to prevent telnet traffic from rtrA to rtrB. >Assume for now that the link between the routers is a serial link (int S0 on >both routers). >You could put an outgoing access list on S0 on rtrA: >rtrA: >access-list 101 deny tcp any any eq 23 >access-list 101 permit ip any any >int s 0 >access-class 101 out > >This will work fine (assuming my access list syntax is correct which I am making >no guarantees about - I haven't checked it). You could put the same access list >on rtrB as an incoming access list instead, and it would have the same effect, >but your telnet traffic would cross the serial link before being dropped - >generally not very efficient. > >OK, what if it's not a serial link, but an ethernet? Time to throw another >router into the mix... > >rtrA rtrB > | >rtrC > >Now, putting that same outgoing access list on rtrA has a different effect to >putting it as an incoming access list on rtrB. If you put the outgoing access >list on rtrA, you will not be able to telnet from rtrA to rtrB *or to rtrC*. If >you put it as an incoming access list on rtrB, you will not be able to telnet >from rtrA to rtrB but you will be able to telnet from rtrA to rtrC. >In this case, where should you put the access list? That depends completely on >what you are trying to achieve with your access list. > >Regardless of where you are putting your access list, try to put the lines that >will get the most hits near the top (again, make sure you don't change the >meaning of the access list if you change the order of statements). The lines of >an access list are checked in order, and once a match for a packet is found, the >rest of the list isn't checked - so if most of your packets match the first >line, rather than the last, your router will spend less time checking access >lists. > >Here endeth the chapter :-) > >JMcL > >-- Forwarded by Jenny Mcleod/NSO/CSDA on 27/06/2000 16:28 >--- > > >"K.FUJIWARA" <[EMAIL PROTECTED]> on 26/06/2000 15:59:31 > >Please respond to "K.FUJIWARA" <[EMAIL PROTECTED]> > > >To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >cc:(bcc: JENNY MCLEOD/NSO/CSDA) >Subject: Which access-list increase load the most? > > > >Hi, all. > >Though the null interface is the best solution for load in the ruter >CPU, which >extended / standard access-list is the best to reduce the load? >Extended one's result may be depends on where it will be put or the >case, so where >should it be configured? Destination? >If you have some good examples, please show me. > >And then, do you know good tools or utility to monitor the routers >performance on >CPU or RAM in real time? > >Kazuyo Fujiwara >MCSE/CCNA >Japan Kobe > > > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > >___ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]