Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
0
Helpful
3
Replies

ACL logging on CPU and optimized logging

cineca
Level 1
Level 1

‎10-23-2009 01:29 AM - edited ‎02-20-2020 09:41 PM

Hello all.

Following an incident happened some times ago I supposed we had a big CPU impact due to ACL logging denied packets.

As I have a cat6509 not yet in production, I used it for tests, applying configurations suggested on the following documents

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1090858

and precisely

logging rate-limit 100 except errors

logging ip access-list cache interval 10

mls rate-limit unicast ip icmp unreachable acl-drop 0

logging ip access-list cache out (on the L3 interface)

ICMP Unreachables are suppressed.

Test results were:

with 20k pkts/sec about 50% CPU

with many more (more than 100M bit of small hostile packets) about 85% CPU

What I did not understand is that the CPU usage had the same result using optimized ACL or not using it (I saw in logs OACL were running correctly and matched)

Supervisor is a WS-F6K-PFC3B, gigabit boards have CFC installed.

Any idea on this odd result?

Labels:
0 Helpful
3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-23-2009 06:43 AM

Optimized ACLs make ACLs smaller. They do not have a great impact oin performance unless there is a very significant ACL difference. What optimized ACLs do very well is make your ACLs smaller so they can fit in the hardware.

So unless there are thousand of line difference between optimized and unoptimized ACLs the CPU will not change.

I hope it helps.

PK

0 Helpful

cineca
Level 1
Level 1
In response to Panos Kampanakis

‎10-26-2009 03:03 AM

surely it explains my results.

So we can say there is no way to furtherly improve CPU resistance to an attack which triggers logging of denied packets on a single ACL line?

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to cineca

‎10-26-2009 02:49 PM

On a switch we can say no. In general logging on high performance cards on a per packet basis is one of the number one reasons for cpu load.

Remember you process switch every packet when you make it pass through an ACLs which put load on the CPU. Not recommended in general for cef enabled high perfomance devices.

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents