From: shiran guez (shiranp3@gmail.com)
Date: Thu Jan 24 2008 - 15:24:15 ARST
what you configured say that every 8.3 min you will generate up to 10000
messages.
set:
ip access-list logging interval 30000
ip access-list log-update threshold 1 or 10
On Jan 24, 2008 7:18 PM, nhatphuc <nhatphuc@gmail.com> wrote:
> Yes, But it didn't work as I thought.
>
> Can you have a look at my config and tell me why?
>
> Thanks
>
>
> On Jan 24, 2008 11:31 PM, shiran guez < shiranp3@gmail.com> wrote:
>
> > ip access-list logging interval will set the amount of time between your
> > updates
> >
> > ip access-list log-update threshold will set the log to generate a
> > message every number of hits.
> >
> > so I think this is what you are looking for according to what you
> > specify bellow.
> >
> >
> >
> > On Jan 24, 2008 5:21 PM, nhatphuc <nhatphuc@gmail.com> wrote:
> >
> > > Hello,
> > >
> > > I don't know that feature's name so called it ACL Logging Rate Limit.
> > > I meant limiting the number of ACL log messages.
> > >
> > > From my understanding ip access-list logging interval and ip
> > > access-list log-update threshold are used to limit the number of ACL log
> > > messages. But you said i was dropping the packet and couldn't do anything.
> > >
> > > So can you tell me which case to use these 2 commands? And how to
> > > limit the number of log messages?
> > >
> > > Thank you
> > >
> > > Phuc
> > >
> > >
> > > On Jan 24, 2008 1:48 PM, shiran guez < shiranp3@gmail.com> wrote:
> > >
> > > >
> > > > http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd1.html#wp1017391
> > > >
> > > > I do not think what you are looking for is rate limit as this is
> > > > more related to CAR and you do not want to allow the traffic in and slow it,
> > > > you just want to reduce the log size.
> > > >
> > > > also I see that you increased the logging interval and update
> > > > threshold. the packets are coming to you and you are dropping them already
> > > > so you cant do anything else, I had once a problem with an attacker on one
> > > > of my linux servers and I had huge logs like more then 40GB and I have
> > > > traced back to the ISP that is relaying the attack and he apologized as he
> > > > was also under that attack from another source but when he managed to stop
> > > > it on his side then it stopped going to my end other then that I could not
> > > > do anything else accept clean the logs more often.
> > > >
> > > > usually the problems with this attack are finding the source and
> > > > stopping him.
> > > >
> > > > On Jan 23, 2008 7:01 PM, nhatphuc <nhatphuc@gmail.com> wrote:
> > > >
> > > > > Hi Group,
> > > > >
> > > > > My router is under login attack. There're many logged messages
> > > > > output on
> > > > > console:
> > > > >
> > > > > Jan 23 23:40:43 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> > > > > 192.248.88.10(36752) -> 0.0.0.0 (22), 1 packet
> > > > > Jan 23 23:40:44 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> > > > > 192.248.88.10(37556) -> 0.0.0.0(22), 1 packet
> > > > > Jan 23 23:40:46 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp
> > > > > 192.248.88.10 (37737) -> 0.0.0.0 (22), 1 packet
> > > > >
> > > > > I've configured rate limit for access-list like this:
> > > > >
> > > > > ip access-list logging interval 30000
> > > > > ip access-list log-update threshold 10000
> > > > >
> > > > > But there are still many messages outputted. How can I slow it
> > > > > down? And how
> > > > > to use access-list rate limit feature? I think the parameters I
> > > > > configured
> > > > > are rather high but they didn't help.
> > > > >
> > > > > Thanks
> > > > >
> > > > > Phuc
> > > > >
> > > > >
> > > > > _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Shiran Guez
> > > > MCSE CCNP NCE1
> > > > http://cciep3.blogspot.com
> > > > http://www.linkedin.com/in/cciep3
> > >
> > >
> > >
> >
> >
> > --
> > Shiran Guez
> > MCSE CCNP NCE1
> > http://cciep3.blogspot.com
> > http://www.linkedin.com/in/cciep3
> >
>
>
-- Shiran Guez MCSE CCNP NCE1 http://cciep3.blogspot.com http://www.linkedin.com/in/cciep3
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:01 ARST