ACL logging on CPU and optimized logging

Unanswered Question
Oct 23rd, 2009
User Badges:

Hello all.

Following an incident happened some times ago I supposed we had a big CPU impact due to ACL logging denied packets.

As I have a cat6509 not yet in production, I used it for tests, applying configurations suggested on the following documents

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1090858


and precisely

logging rate-limit 100 except errors

logging ip access-list cache interval 10

mls rate-limit unicast ip icmp unreachable acl-drop 0

logging ip access-list cache out (on the L3 interface)


ICMP Unreachables are suppressed.


Test results were:

with 20k pkts/sec about 50% CPU

with many more (more than 100M bit of small hostile packets) about 85% CPU


What I did not understand is that the CPU usage had the same result using optimized ACL or not using it (I saw in logs OACL were running correctly and matched)

Supervisor is a WS-F6K-PFC3B, gigabit boards have CFC installed.


Any idea on this odd result?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Fri, 10/23/2009 - 06:43
User Badges:
  • Cisco Employee,

Optimized ACLs make ACLs smaller. They do not have a great impact oin performance unless there is a very significant ACL difference. What optimized ACLs do very well is make your ACLs smaller so they can fit in the hardware.


So unless there are thousand of line difference between optimized and unoptimized ACLs the CPU will not change.


I hope it helps.


PK


cineca Mon, 10/26/2009 - 03:03
User Badges:

surely it explains my results.

So we can say there is no way to furtherly improve CPU resistance to an attack which triggers logging of denied packets on a single ACL line?

Panos Kampanakis Mon, 10/26/2009 - 14:49
User Badges:
  • Cisco Employee,

On a switch we can say no. In general logging on high performance cards on a per packet basis is one of the number one reasons for cpu load.


Remember you process switch every packet when you make it pass through an ACLs which put load on the CPU. Not recommended in general for cef enabled high perfomance devices.


PK


Actions

This Discussion