Re: Access-List Logging Rate Limit

From: nhatphuc (nhatphuc@gmail.com)
Date: Thu Jan 24 2008 - 13:21:48 ARST

• Next message: Monica Belluci: "CCIE LAB - Troubleshooting"
• Previous message: Eggert, Scott: "RE: Dynamips help"
• Maybe in reply to: nhatphuc: "Access-List Logging Rate Limit"
• Next in thread: shiran guez: "Re: Access-List Logging Rate Limit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

I don't know that feature's name so called it ACL Logging Rate Limit. I
meant limiting the number of ACL log messages.

From my understanding ip access-list logging interval and ip access-list
log-update threshold are used to limit the number of ACL log messages. But
you said i was dropping the packet and couldn't do anything.

So can you tell me which case to use these 2 commands? And how to limit the
number of log messages?

Thank you

Phuc

On Jan 24, 2008 1:48 PM, shiran guez <shiranp3@gmail.com> wrote:

>
> http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd1.html#wp1017391
>
> I do not think what you are looking for is rate limit as this is more
> related to CAR and you do not want to allow the traffic in and slow it, you
> just want to reduce the log size.
>
> also I see that you increased the logging interval and update threshold.
> the packets are coming to you and you are dropping them already so you cant
> do anything else, I had once a problem with an attacker on one of my linux
> servers and I had huge logs like more then 40GB and I have traced back to
> the ISP that is relaying the attack and he apologized as he was also under
> that attack from another source but when he managed to stop it on his side
> then it stopped going to my end other then that I could not do anything else
> accept clean the logs more often.
>
> usually the problems with this attack are finding the source and stopping
> him.
>
> On Jan 23, 2008 7:01 PM, nhatphuc <nhatphuc@gmail.com> wrote:
>
> > Hi Group,
> >
> > My router is under login attack. There're many logged messages output on
> > console:
> >
> > Jan 23 23:40:43 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> > 192.248.88.10(36752) -> 0.0.0.0(22), 1 packet
> > Jan 23 23:40:44 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> > 192.248.88.10(37556) -> 0.0.0.0(22), 1 packet
> > Jan 23 23:40:46 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> > 192.248.88.10 (37737) -> 0.0.0.0 (22), 1 packet
> >
> > I've configured rate limit for access-list like this:
> >
> > ip access-list logging interval 30000
> > ip access-list log-update threshold 10000
> >
> > But there are still many messages outputted. How can I slow it down? And
> > how
> > to use access-list rate limit feature? I think the parameters I
> > configured
> > are rather high but they didn't help.
> >
> > Thanks
> >
> > Phuc
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Shiran Guez
> MCSE CCNP NCE1
> http://cciep3.blogspot.com
> http://www.linkedin.com/in/cciep3

• Next message: Monica Belluci: "CCIE LAB - Troubleshooting"
• Previous message: Eggert, Scott: "RE: Dynamips help"
• Maybe in reply to: nhatphuc: "Access-List Logging Rate Limit"
• Next in thread: shiran guez: "Re: Access-List Logging Rate Limit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:01 ARST