Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL logging on CPU and optimized logging

Hello all.

Following an incident happened some times ago I supposed we had a big CPU impact due to ACL logging denied packets.

As I have a cat6509 not yet in production, I used it for tests, applying configurations suggested on the following documents

and precisely

logging rate-limit 100 except errors

logging ip access-list cache interval 10

mls rate-limit unicast ip icmp unreachable acl-drop 0

logging ip access-list cache out (on the L3 interface)

ICMP Unreachables are suppressed.

Test results were:

with 20k pkts/sec about 50% CPU

with many more (more than 100M bit of small hostile packets) about 85% CPU

What I did not understand is that the CPU usage had the same result using optimized ACL or not using it (I saw in logs OACL were running correctly and matched)

Supervisor is a WS-F6K-PFC3B, gigabit boards have CFC installed.

Any idea on this odd result?

Cisco Employee

Re: ACL logging on CPU and optimized logging

Optimized ACLs make ACLs smaller. They do not have a great impact oin performance unless there is a very significant ACL difference. What optimized ACLs do very well is make your ACLs smaller so they can fit in the hardware.

So unless there are thousand of line difference between optimized and unoptimized ACLs the CPU will not change.

I hope it helps.


New Member

Re: ACL logging on CPU and optimized logging

surely it explains my results.

So we can say there is no way to furtherly improve CPU resistance to an attack which triggers logging of denied packets on a single ACL line?

Cisco Employee

Re: ACL logging on CPU and optimized logging

On a switch we can say no. In general logging on high performance cards on a per packet basis is one of the number one reasons for cpu load.

Remember you process switch every packet when you make it pass through an ACLs which put load on the CPU. Not recommended in general for cef enabled high perfomance devices.