"Norris, Wayne" <[EMAIL PROTECTED]> wrote:
> If you add the 'log' statement at the end of each line of your ACL, you can
> measure hits against it. This will enable you to fairly accurately place
> each rule. eg
> access-list 101 permit ip 1.1.0.0 0.0.255.255 any log
> access-list 101 permit ip 2.2.0.0 0.0.255.255 any log
I believe the "sh ip acce" command works whether or not the "log"
parameter is specified. This could be important if the router is CPU
bound ("sh proc c") as logging takes a fair amount of CPU.
Speaking of CPU, does any have a recommendation for a Cisco that is
capable of routing 30mbps-out and 15mbps-in? I have a 2621 at a site
doing streaming video however the CPU becomes pegged and packets are
dropped at anything over ~35mbps (aggregate). This seems odd for a
router with 2 100base-T ports.
The internal 100base-T port is connected to a 2900 switch and the
external to another (unknown) switch. There is one route (default), 21
out-filters on the internal interface, and 7 in-filters on the external
interface. Nothing unusual in the setup however the CPU is often
pegged at just 20/255 tx/rxload (per "sh inter"). Cisco engineering
maintains that the router should be able to hadle the load but it
can't. The only recommendation they were able to make is to upgrade to
a 3000 or 4000 series.
It seems odd that a Nokia running FW-1 has been tested at 98mpbs while
a 2621 running IOS can't do 1/3rd that.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
> > When using a router (Cisco 7500 series) as a Packet Filtering firewall,
> > what is the best way to measure actual throughput? With an ACL that is
> > huge, (over 7 pages when printed out) is there any measurable degradation
> > of service? I have been told that there are some tools which can perform
> > offline assessments with regard to the efficiency of placement of the rule
> > statements, but unfortunatly have not been able to locate said resource.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
