Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
4
Replies

How does a logging access-list affect router's performance???

gjstem
Level 1
Level 1

‎04-08-2002 03:13 PM - edited ‎03-01-2019 09:12 PM

Fellow Engineers,

I'm curious how a ip access-list with logging enabled, affects packet switching of traffic transversing through an interface that which it is applied.

Will packets now be processed switched?

How does it compare to debug ip packet?

Secondly, I've seen Engineers at my work utilize this type of access-list with logging enabled to the buffer and "permit ip any any" on 7500 production routers for traffic analysis purposes. Is this a safe practice? Can I use a logging access-list in a production envorment on low-end routers also for troubleshooting purposes. CCO, does mention some measures are implemented in the IOS to control the packeting logging function so as not allow it to crash the router.

your responses are appreciated

Labels:
0 Helpful
4 Replies 4

scarothe
Level 1
Level 1

‎04-08-2002 04:19 PM

Greetings:

My answer is a definite maybe. Any time you do a log or debug, the router is now becoming a sniffer in a fashion and you are going to use up more CPU. How much it affects the router is a function of what packets you are watching for logging. I am not aware of any fast and true rule. Basically, get your router up and running without the logging functin on the access-list, apply the list and see how much affect. You may find you have to remove some of the logging parameters to monitor.

Thanks...Steve

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-08-2002 04:25 PM

This function is limited to 1 message per second.

So, the resources are somehow protected.

However, I would still recommend to take some precaution when using this feature.

Logging event to the screen is very resource consuming and can lead to a router crash if you try to log too much information.

So, first, do not try to logg to the screen.

Logging to the buffer is ok, but it will still consume resources.

Then logging all ip traffic is not a good idea.

The log keyword should only be used for troubleshooting or to detect abnormal situation.

Therefore it should be limited to a certain traffic.

If you want to have information about traffic patern, other methods exist like ip accounting ('show traffic') or netflow.

Finally, yes you can use it on low end platform.

I use it myself on a 805 to detect illegal access to some devices.

0 Helpful

gjstem
Level 1
Level 1
In response to Gilles Dufour

‎04-08-2002 06:54 PM

thanks for the response,

In response to your remarks, is ip accounting the least processor intensive method of performing a traffic analysis that provides source/destination addresses? I have found ip accounting usefull but have been hesitant to enable it on interfaces that are have high amounts of traffic(more than a 1mb on 2500/2600/3600). Secondly, it does not provide any information pertaining to types of ip traffic. Netflow switching definitely provides some good info with regards to seeing ports/source/destination of ip traffic. By enabling netflow switching on a interface, are there any precautions/performance considerations as compared to fast switching?

thanks again for the responses

0 Helpful

nuno.morais
Level 1
Level 1
In response to gjstem

‎04-09-2002 02:11 AM

Hi.

Regarding NetFlow, be aware that besides some extra load it will put on the router itself, it will generate some meaningful traffic on your network...

Please don't ask me how much traffic it will generate, because it depends... and I don't know!

Rgds.

NM

0 Helpful
Customers Also Viewed These Support Documents