RE: Access-List Logging Rate Limit

From: Mohmmad, Imran (Imran.Mohmmad@amd.com)
Date: Sun Jan 27 2008 - 02:39:29 ARST

• Next message: backbone systems: "Re: [c-nsp] OT: CCVP Bootcamp in Dubai, India or South Africa"
• Previous message: subodh.rawat@wipro.com: "RE: Passed R&S First Attempt in RTP Yesterday!"
• Maybe in reply to: nhatphuc: "Access-List Logging Rate Limit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Use the logging rate-limit message-rate [except severity-level] command
limits the CPU impact of log generation and transmission.

This command applies to all syslog messages and is not exclusive to
those created through ACL logging. Although this command does limit the
number of packets that must be generated and sent by the network device.
it does nothing to reduce the number of input packets that are process
switched by the device CPU. For this reason, it is imperative that the
ip access-list logging interval command be used in conjunction with the
logging rate-limit command.

For ex:-

logging rate-limit 100 except 4 <in the example it limits log generation
and transmission to 100 messages per second except for log levels 4>

Imran

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
nhatphuc
Sent: Thursday, January 24, 2008 9:18 AM
To: shiran guez
Cc: ccielab@groupstudy.com
Subject: Re: Access-List Logging Rate Limit

Yes, But it didn't work as I thought.

Can you have a look at my config and tell me why?

Thanks

On Jan 24, 2008 11:31 PM, shiran guez <shiranp3@gmail.com> wrote:

> ip access-list logging interval will set the amount of time between
your
> updates
>
> ip access-list log-update threshold will set the log to generate a
message
> every number of hits.
>
> so I think this is what you are looking for according to what you
specify
> bellow.
>
>
>
> On Jan 24, 2008 5:21 PM, nhatphuc <nhatphuc@gmail.com> wrote:
>
> > Hello,
> >
> > I don't know that feature's name so called it ACL Logging Rate
Limit. I
> > meant limiting the number of ACL log messages.
> >
> > From my understanding ip access-list logging interval and ip
access-list
> > log-update threshold are used to limit the number of ACL log
messages. But
> > you said i was dropping the packet and couldn't do anything.
> >
> > So can you tell me which case to use these 2 commands? And how to
limit
> > the number of log messages?
> >
> > Thank you
> >
> > Phuc
> >
> >
> > On Jan 24, 2008 1:48 PM, shiran guez < shiranp3@gmail.com> wrote:
> >
> > >
> > >
http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd1.h
tml#wp1017391
> > >
> > > I do not think what you are looking for is rate limit as this is
more
> > > related to CAR and you do not want to allow the traffic in and
slow it, you
> > > just want to reduce the log size.
> > >
> > > also I see that you increased the logging interval and update
> > > threshold. the packets are coming to you and you are dropping them
already
> > > so you cant do anything else, I had once a problem with an
attacker on one
> > > of my linux servers and I had huge logs like more then 40GB and I
have
> > > traced back to the ISP that is relaying the attack and he
apologized as he
> > > was also under that attack from another source but when he managed
to stop
> > > it on his side then it stopped going to my end other then that I
could not
> > > do anything else accept clean the logs more often.
> > >
> > > usually the problems with this attack are finding the source and
> > > stopping him.
> > >
> > > On Jan 23, 2008 7:01 PM, nhatphuc <nhatphuc@gmail.com> wrote:
> > >
> > > > Hi Group,
> > > >
> > > > My router is under login attack. There're many logged messages
> > > > output on
> > > > console:
> > > >
> > > > Jan 23 23:40:43 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied
tcp
> > > > 192.248.88.10(36752) -> 0.0.0.0 (22), 1 packet
> > > > Jan 23 23:40:44 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied
tcp
> > > > 192.248.88.10(37556) -> 0.0.0.0(22), 1 packet
> > > > Jan 23 23:40:46 : %SEC-6-IPACCESSLOGP: list sl_def_acl denied
tcp
> > > > 192.248.88.10 (37737) -> 0.0.0.0 (22), 1 packet
> > > >
> > > > I've configured rate limit for access-list like this:
> > > >
> > > > ip access-list logging interval 30000
> > > > ip access-list log-update threshold 10000
> > > >
> > > > But there are still many messages outputted. How can I slow it
down?
> > > > And how
> > > > to use access-list rate limit feature? I think the parameters I
> > > > configured
> > > > are rather high but they didn't help.
> > > >
> > > > Thanks
> > > >
> > > > Phuc
> > > >
> > > >
> > > >

• Next message: backbone systems: "Re: [c-nsp] OT: CCVP Bootcamp in Dubai, India or South Africa"
• Previous message: subodh.rawat@wipro.com: "RE: Passed R&S First Attempt in RTP Yesterday!"
• Maybe in reply to: nhatphuc: "Access-List Logging Rate Limit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:01 ARST