Optimized Acl Logging With A Pfc; Understanding Oal; Oal Guidelines And Restrictions - Cisco 7604 Configuration Manual

Chapter 34 Understanding Cisco IOS ACL Support

Optimized ACL Logging with a PFC3

Supervisor Engine 2 does not support optimized ACL logging (OAL).
Note
Release 12.2(17d)SXB and later releases support OAL with a PFC3. These sections describe OAL:
•
•
•

Understanding OAL

Optimized ACL Logging (OAL) provides hardware support for ACL logging. Unless you configure
OAL, packets that require logging are processed completely in software on the MSFC. OAL permits or
drops packets in hardware on the PFC3 and uses an optimized routine to send information to the MSFC3
to generate the logging messages.

OAL Guidelines and Restrictions

The following guidelines and restrictions apply to OAL:
•
•
•
•
•
•
•
•
OL-4266-08
Understanding OAL, page 34-5
OAL Guidelines and Restrictions, page 34-5
Configuring OAL, page 34-6
OAL and VACL capture are incompatible. Do not configure both features on the router. With OAL
configured, use SPAN to capture traffic.
OAL is supported only on the PFC3.
OAL supports only IPv4 unicast packets.
OAL supports VACL logging of permitted ingress traffic.
OAL does not support port ACLs (PACLs).
OAL does not provide hardware support for the following:
Reflexive ACLs
–
ACLs used to filter traffic for other features (for example, QoS)
–
ACLs for unicast reverse path forwarding (uRPF) check exceptions
–
Exception packets (for example, TTL failure and MTU failure)
–
Packets with IP options
–
– Packets addressed at Layer 3 to the router
Packets sent to the MSFC3 to generate ICMP unreachable messages
–
– Packets being processed by features not accelerated in hardware
To provide OAL support for denied packets, enter the mls rate-limit unicast ip icmp unreachable
acl-drop 0 command.
OAL and the mls verify ip length minimum command are incompatible. Do not configure both.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Optimized ACL Logging with a PFC3
34-5