[afnog] QoS setting verification

[Brian Candler]

On Fri, Jul 21, 2006 at 02:44:16PM +0200, Antonio Godinho wrote:
> Unfortunately this network is at a remote location. The switch is not 
> manageable, so no option of port mirroring. What usually happens is that one 
> or other PC from time to time gets some malware or virus which generates 
> this type of traffic for which I have put ACL's on the router but it seems 
> that when this happens, the router somehow starts having problems with the 
> voice traffic when it has to reject all these packets on the ethernet 
> interface. If someone unplugs the ethernet cable then everything goes back 
> to normal but the serial link is never affected. I thought at first that the 
> voice traffic would never be affected by ethernet traffic since it "should" 
> go from the voice interface through the router directly onto the serial 
> interface

Ah, then I misunderstood: I thought the voice data was coming in through the
ethernet port.

It sounds to me like your router can't keep up with ACLs at wire speed. If
so, this is pretty poor. You could try optimising your ruleset, by putting
the most commonly-matching rules near the test. If there are 'log' entries
which are matching this traffic, you could try turning off 'log'. Dependent
on your router manufacturer, model and configuration there might be other
things you can do to improve the ACL handling.

But otherwise, if your router simply isn't fast enough to run its ACLs, then
you're a bit stuck. You could try getting a good switch, and doing ACLs
there - or do the ACLs on a FreeBSD box. A little nanobsd/picobsd/microtik
type of solution would be fine. At least if that little box can't keep up,
no traffic will be hitting the Cisco.

This is still a bit of a theory until you can capture the traffic which is
causing the problem though - and you can be sure that the ACL is actually
matching the traffic.

Regards,

Brian.