03-22-2006 06:28 AM - edited 03-03-2019 02:24 AM
want to see what traffic is coming from the following hosts / networks but DON'T want any logging to the 6509....only to syslog server.
"logging 172.16.16.149" has been added already. when i add "log" to end of each statement, it logs to 6509 buffer and sends my CPU way up.
how do i send the traffic to syslog server (172.16.16.149) only.
here is acl:
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 permit tcp 172.16.179.0.0 0.0.0.255 range 1 65535 any
access-list 110 permit udp 172.16.179.0 0.0.0.255 range 1 65535 any
access-list 110 permit ip 172.16.0.0 0.0.255.255 any
access-list 110 permit tcp 172.16.40.0 0.0.0.255 range 1 65535 any
access-list 110 permit udp 172.16.40.0 0.0.0.255 range 1 65535 any
access-list 110 permit ip 172.16.40.0 0.0.0.255 any
access-list 110 permit tcp 172.16.41.0 0.0.0.255 range 1 65535 any
access-list 110 permit udp 172.16.41.0 0.0.0.255 range 1 65535 any
access-list 110 permit ip 172.16.41.0 0.0.0.255 any
access-list 110 permit tcp 172.16.42.0 0.0.0.255 range 1 65535 any
access-list 110 permit udp 172.16.42.0 0.0.0.255 range 1 65535 any
access-list 110 permit ip 172.16.42.0 0.0.0.255 any
access-list 110 permit tcp 172.16.43.0 0.0.0.255 range 1 65535 any
access-list 110 permit udp 172.16.43.0 0.0.0.255 range 1 65535 any
access-list 110 permit ip 172.16.43.0 0.0.0.255 any
access-list 110 permit udp host 172.16.4.32 range 1 65535 any
access-list 110 permit ip host 172.16.4.32 any
access-list 110 permit ip any any
Solved! Go to Solution.
03-22-2006 12:35 PM
Bobby's advice about no logging buffer is one way to not get those access list log messages into the logging buffer. But it prevents ALL messages from the logging buffer and I think that might be a bit more than the original post wanted to do. I would suggest an alternate approach to modify the message severity level written to the logging buffer. The default is to send all messages (through level 7 or debugging). The access list log messages are severity level 6 (informational). If you set the logging level of the buffer to level 5 (notification) then you would get anything from notification or more severe but would not get the access list log messages or debug messages. You could also use this approach for the console if that were a concern.
So try this command:
logging buffer notification
and let us know what happens.
HTH
Rick
03-22-2006 07:44 AM
Hi,
If you only want messages logged to a syslog server, use the global configuration command "no logging buffered"
Now keep in mind that whenever you use the log keyword for an ACE, any matching packets will be switched by the CPU, so even if you only log the messages to a syslog server, you will still experience high CPU.
HTH,
Bobby
03-22-2006 12:35 PM
Bobby's advice about no logging buffer is one way to not get those access list log messages into the logging buffer. But it prevents ALL messages from the logging buffer and I think that might be a bit more than the original post wanted to do. I would suggest an alternate approach to modify the message severity level written to the logging buffer. The default is to send all messages (through level 7 or debugging). The access list log messages are severity level 6 (informational). If you set the logging level of the buffer to level 5 (notification) then you would get anything from notification or more severe but would not get the access list log messages or debug messages. You could also use this approach for the console if that were a concern.
So try this command:
logging buffer notification
and let us know what happens.
HTH
Rick
03-22-2006 02:19 PM
Good catch, Rick. I took the "no logging to the 6500" statement a little too literally.
-Bobby
03-22-2006 02:38 PM
Bobby
Both approaches achieve the stated goal of not logging to the 6500 buffer. You took his statement literally and I interpreted a bit.
As I think about this some more, I am surprised that logging to the buffer would send CPU so very high (since the buffer write does not usually take much overhead). I wonder if the 6500 is writing these messages to the console - which does drive CPU quite high. Perhaps the original poster can give us the first several lines of show logging - which will show what is being sent to the various logging destinations.
HTH
Rick
03-22-2006 03:33 PM
Well, it's the "log" statement in the ACE that is causing the high cpu, rather than the process of the logging itself.
Any packet matching an ACE with a log keyword must be processed by the CPU, except in certain situations:
"Access control entries (ACEs) that require logging, with the log keyword
This applies to ACL log and VLAN ACL (VACL) log features. ACEs in the same ACL that do not require logging still process in hardware. The Supervisor Engine 720 with PFC3 supports the rate limit of packets that are redirected to the MSFC for ACL and VACL logging. The Supervisor Engine 2 supports the rate limit of packets that are redirected to the MSFC for VACL logging. Support for ACL logging on the Supervisor Engine 2 is scheduled for the Cisco IOS Software Release 12.2S branch."
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml#acl
-Bobby
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide