Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
0
Helpful
2
Replies

NBAR, logging and CEF

Go to solution
brymiller
Level 1
Level 1

‎08-02-2005 12:11 PM - edited ‎03-09-2019 12:01 PM

Let's say I'm using NBAR to color some inbound traffic and drop the traffic on an outbound interface...using an ACL. If I turn on logging on the access list applied to the OB interface, does that prevent NBAR from working? I ask because NBAR requires CEF; and CEF is invalidated with logging.

How about using PBR to drop traffic on the inbound interface and logging on *that* access-list?

TIA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johansens
Level 4
Level 4

‎08-02-2005 04:16 PM

Interesting question...

I just tried the following scenarios:

Scenario 1)

- "ip nbar protocol-discovery" on fa0/0

- "ip access-group test in" on fa0/0

- "permit ip any any log" in the test-ACL

I then tried some pings and telnets to the router on the fa0/0 IP-address, and everything showed up in the protocl-discovery as normal.

Scenario 2)

- "match protocol telnet" and "match protocol icmp" in two different classes in a policy-map (test-map)

- "service-policy test-map input" on fa0/0

- Had the same inbound ACL as in Scenario 1

Made the same tests and the policy-map was working as normal.

Scenario 3)

The same as in Scenario 2, but I ran the test-traffic towards a loopback-interface in the router instead.

The same tests ran again, and everything seemed OK.

I haven't tried to actually route something through the router with this, but it would seem to me like adding log-statements to the ACE's doesn't affect NBAR as you asked about.

Exactly what the technical relationship between NBAR and CEF and it's do's and don'ts is yet to be answered...

Did it help?

View solution in original post

0 Helpful
2 Replies 2

Go to solution
johansens
Level 4
Level 4

‎08-02-2005 04:16 PM

Interesting question...

I just tried the following scenarios:

Scenario 1)

- "ip nbar protocol-discovery" on fa0/0

- "ip access-group test in" on fa0/0

- "permit ip any any log" in the test-ACL

I then tried some pings and telnets to the router on the fa0/0 IP-address, and everything showed up in the protocl-discovery as normal.

Scenario 2)

- "match protocol telnet" and "match protocol icmp" in two different classes in a policy-map (test-map)

- "service-policy test-map input" on fa0/0

- Had the same inbound ACL as in Scenario 1

Made the same tests and the policy-map was working as normal.

Scenario 3)

The same as in Scenario 2, but I ran the test-traffic towards a loopback-interface in the router instead.

The same tests ran again, and everything seemed OK.

I haven't tried to actually route something through the router with this, but it would seem to me like adding log-statements to the ACE's doesn't affect NBAR as you asked about.

Exactly what the technical relationship between NBAR and CEF and it's do's and don'ts is yet to be answered...

Did it help?

0 Helpful

Go to solution
brymiller
Level 1
Level 1
In response to johansens

‎08-02-2005 04:50 PM

Based on your findings I'm guessing that logging only affects CEF when the access-list is applied to the interface directly using and access-group.

Thanks for letting me bounce these questions off you!

0 Helpful
Customers Also Viewed These Support Documents