Sign in to follow this  
Followers 0
pirlo

ip access-list logging interval

4 posts in this topic

Hi,

 

I dont understand clearly this command why use.

In router I want to NAT so that I write to ACL.

If I use "ip access-list logging interval 6000" packet match ACL and packet ise done NAT.

But If I dont use this command, packet not match on ACL.

Do you explain this reason?

Why do you use this command?

0

Share this post


Link to post
Share on other sites

Hi,

 

I dont understand clearly this command why use.

In router I want to NAT so that I write to ACL.

If I use "ip access-list logging interval 6000" packet match ACL and packet ise done NAT.

But If I dont use this command, packet not match on ACL.

Do you explain this reason?

Why do you use this command?

 

Could you make it more clearly? This command states only the interval the equipment will log ACL matches. This is useful for preventing DOS attacks overwhelming the equipments. Don't think has anything to do with NAT.

 

And it works only if at the end of the ACL line you'll add log keyword.

0

Share this post


Link to post
Share on other sites

Hi,

 

I dont understand clearly this command why use.

In router I want to NAT so that I write to ACL.

If I use "ip access-list logging interval 6000" packet match ACL and packet ise done NAT.

But If I dont use this command, packet not match on ACL.

Do you explain this reason?

Why do you use this command?

 

That command has nothing to do with NAT, use something like #debug ip nat detailed

to see nat messages.

 

ip access-list logging interval <time in ms> is used to restrict the amount of process switched packets your router has to deal with when displaying log messages (because, every log is process-switched)

So with that command you define time between two process switched packets - if you put 6000 it means one packet is process switched every 6 seconds.

 

Theres another handy command, ip access-list log-update threshold <# of hits>, which lets you define how many hits there has to be on your access-list before a router will display a log message.

0

Share this post


Link to post
Share on other sites

That command has nothing to do with NAT, use something like #debug ip nat detailed

to see nat messages.

 

ip access-list logging interval <time in ms> is used to restrict the amount of process switched packets your router has to deal with when displaying log messages (because, every log is process-switched)

So with that command you define time between two process switched packets - if you put 6000 it means one packet is process switched every 6 seconds.

 

Theres another handy command, ip access-list log-update threshold <# of hits>, which lets you define how many hits there has to be on your access-list before a router will display a log message.

 

If I use "log" in the end of ACL, for example

"access-list 1 permit 192.168.50.0 0.0.0.3 log"

coming packet is matched once to ACL, after that another coming packets that same network aren't matched for the same ACL. But If I dont use "log" in the end of ACL, all packets are matched ACL. When I research this reason, I found this command " ip access-list logging interval ". If I use "log" in the end of ACL and I use command " ip access-list logging interval " there arent any problem. If I dont use this command " ip access-list logging interval " packets aren't matched ACL.

 

I dont understand to relation log of ACL and process switched.

 

Thanks.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0