04-08-2002 03:13 PM - edited 03-01-2019 09:12 PM
Fellow Engineers,
I'm curious how a ip access-list with logging enabled, affects packet switching of traffic transversing through an interface that which it is applied.
Will packets now be processed switched?
How does it compare to debug ip packet?
Secondly, I've seen Engineers at my work utilize this type of access-list with logging enabled to the buffer and "permit ip any any" on 7500 production routers for traffic analysis purposes. Is this a safe practice? Can I use a logging access-list in a production envorment on low-end routers also for troubleshooting purposes. CCO, does mention some measures are implemented in the IOS to control the packeting logging function so as not allow it to crash the router.
your responses are appreciated
04-08-2002 04:19 PM
Greetings:
My answer is a definite maybe. Any time you do a log or debug, the router is now becoming a sniffer in a fashion and you are going to use up more CPU. How much it affects the router is a function of what packets you are watching for logging. I am not aware of any fast and true rule. Basically, get your router up and running without the logging functin on the access-list, apply the list and see how much affect. You may find you have to remove some of the logging parameters to monitor.
Thanks...Steve
04-08-2002 04:25 PM
This function is limited to 1 message per second.
So, the resources are somehow protected.
However, I would still recommend to take some precaution when using this feature.
Logging event to the screen is very resource consuming and can lead to a router crash if you try to log too much information.
So, first, do not try to logg to the screen.
Logging to the buffer is ok, but it will still consume resources.
Then logging all ip traffic is not a good idea.
The log keyword should only be used for troubleshooting or to detect abnormal situation.
Therefore it should be limited to a certain traffic.
If you want to have information about traffic patern, other methods exist like ip accounting ('show traffic') or netflow.
Finally, yes you can use it on low end platform.
I use it myself on a 805 to detect illegal access to some devices.
04-08-2002 06:54 PM
thanks for the response,
In response to your remarks, is ip accounting the least processor intensive method of performing a traffic analysis that provides source/destination addresses? I have found ip accounting usefull but have been hesitant to enable it on interfaces that are have high amounts of traffic(more than a 1mb on 2500/2600/3600). Secondly, it does not provide any information pertaining to types of ip traffic. Netflow switching definitely provides some good info with regards to seeing ports/source/destination of ip traffic. By enabling netflow switching on a interface, are there any precautions/performance considerations as compared to fast switching?
thanks again for the responses
04-09-2002 02:11 AM
Hi.
Regarding NetFlow, be aware that besides some extra load it will put on the router itself, it will generate some meaningful traffic on your network...
Please don't ask me how much traffic it will generate, because it depends... and I don't know!
Rgds.
NM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide