Jump to content


ip access-list logging interval


  • Please log in to reply
3 replies to this topic

#1 pirlo

pirlo

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 28 October 2009 - 02:09 AM

Hi,

I dont understand clearly this command why use.
In router I want to NAT so that I write to ACL.
If I use "ip access-list logging interval 6000" packet match ACL and packet ise done NAT.
But If I dont use this command, packet not match on ACL.
Do you explain this reason?
Why do you use this command?
  • 0

#2 laf_c

laf_c

    Firewalls&Routing specialist

  • Members
  • PipPipPipPipPip
  • 1787 posts
  • Gender:Male
  • Location:Romania
  • Interests:Networking, tenis and chess

Posted 28 October 2009 - 02:57 AM

Hi,

I dont understand clearly this command why use.
In router I want to NAT so that I write to ACL.
If I use "ip access-list logging interval 6000" packet match ACL and packet ise done NAT.
But If I dont use this command, packet not match on ACL.
Do you explain this reason?
Why do you use this command?


Could you make it more clearly? This command states only the interval the equipment will log ACL matches. This is useful for preventing DOS attacks overwhelming the equipments. Don't think has anything to do with NAT.

And it works only if at the end of the ACL line you'll add log keyword.
  • 0

#3 redscorpion69

redscorpion69

    Member

  • Members
  • PipPip
  • 144 posts

Posted 28 October 2009 - 03:37 AM

Hi,

I dont understand clearly this command why use.
In router I want to NAT so that I write to ACL.
If I use "ip access-list logging interval 6000" packet match ACL and packet ise done NAT.
But If I dont use this command, packet not match on ACL.
Do you explain this reason?
Why do you use this command?


That command has nothing to do with NAT, use something like #debug ip nat detailed
to see nat messages.

ip access-list logging interval <time in ms> is used to restrict the amount of process switched packets your router has to deal with when displaying log messages (because, every log is process-switched)
So with that command you define time between two process switched packets - if you put 6000 it means one packet is process switched every 6 seconds.

Theres another handy command, ip access-list log-update threshold <# of hits>, which lets you define how many hits there has to be on your access-list before a router will display a log message.
  • 0

#4 pirlo

pirlo

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 28 October 2009 - 07:42 AM

That command has nothing to do with NAT, use something like #debug ip nat detailed
to see nat messages.

ip access-list logging interval <time in ms> is used to restrict the amount of process switched packets your router has to deal with when displaying log messages (because, every log is process-switched)
So with that command you define time between two process switched packets - if you put 6000 it means one packet is process switched every 6 seconds.

Theres another handy command, ip access-list log-update threshold <# of hits>, which lets you define how many hits there has to be on your access-list before a router will display a log message.


If I use "log" in the end of ACL, for example
"access-list 1 permit 192.168.50.0 0.0.0.3 log"
coming packet is matched once to ACL, after that another coming packets that same network aren't matched for the same ACL. But If I dont use "log" in the end of ACL, all packets are matched ACL. When I research this reason, I found this command " ip access-list logging interval ". If I use "log" in the end of ACL and I use command " ip access-list logging interval " there arent any problem. If I dont use this command " ip access-list logging interval " packets aren't matched ACL.

I dont understand to relation log of ACL and process switched.

Thanks.
  • 0





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users