---------------------------------
There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs) and the generation and transmission of log messages.
The log and log-input Access Control Entry OptionsL:
The log and log-input options apply to an individual ACE and cause packets that match the ACE to be logged. The log-input option enables logging of the ingress interface and source MAC address in addition to the packet's source and destination IP addresses and ports.
The first packet logged via the log or log-input options will generate a syslog message. There are two scenarios in which subsequent log messages will not be sent immediately. If the log-enabled ACE matches another packet with identical characteristics to the packet that generated a log message, the number of packets matched is incremented and then reported at five-minute intervals. Similarly, if any log-enabled ACE in any ACL on any interface matches a packet within one second of the initial log message, the match or matches are counted for five minutes and then reported. These periodic updates will contain the number of packets matched since the previous message.
Configuring a Log Update Threshold:
The ip access-list log-update threshold threshold-in-msgs and ipv6 access-list log-update threshold threshold-in-msgs commands can be used to configure how often syslog messages are generated and sent after the initial packet match. These commands use a threshold described as a number of packets, not as a time interval. This is in contrast to the periodic updates, which are sent every five minutes. A user configurable, time-based threshold does not presently exist.
Limiting ACL Logging–Induced Process Switching:
The ip access-list logging interval interval-in-ms command was released in IOS version 11.3. This command limits the effects of ACL logging–induced process switching by providing a rate limit for process-switched packets. The interval configured in the command allows only one packet per interval to be process switched no matter how many log-enabled ACEs exist. The interval applies globally, and the process switching limit affects all log-enabled ACEs in all ACLs on all interfaces. Packets that are not process switched will not be examined and will not be accounted for in logging. This functionality requires Cisco Express Forwarding to be enabled using the ip cef global configuration command.
The ip access-list logging interval interval-in-ms command does not apply to logging-enabled IPv6 ACLs and there is no IPv6 equivalent. As a result, all packets matching log-enabled ACEs in IPv6 ACLs are process switched.
Administrators can determine the number of packets being process switched using the show interface switching EXEC command. Although log messages may not be comprehensive after enabling the ip access-list logging interval command, the counter values displayed using the show access-lists and show ip access-lists commands are updated properly regardless of the presence or configuration of the ip access-list logging interval command.
Rate Limiting Syslog Messages:
The logging rate-limit message-rate [except severity-level] command limits the CPU impact of log generation and transmission. This command applies to all syslog messages and is not exclusive to those created through ACL logging. Although this command does limit the number of packets that must be generated and sent by the network device, it does nothing to reduce the number of input packets that are process switched by the device CPU. For this reason, it is imperative that the ip access-list logging interval command be used in conjunction with the logging rate-limit command.
Optimized ACL Logging:
The Catalyst 6500 series switches and Cisco 7600 series routers include hardware support for ACL logging. This feature, known as optimized ACL logging (OAL), was added to Cisco IOS Software version 12.2(17d)SXB and is available on devices that include the Policy Feature Card 3 (PFC3). It should be noted that OAL applies only to unicast IPv4 packets. All other packet types will be logged in software on the Multilayer Switch Feature Card (MSFC).To allow OAL to function properly, the mls rate-limit unicast ip icmp unreachable acl-drop 0 global configuration command must be entered.
Understanding OAL:
Optimized ACL Logging (OAL) provides hardware support for ACL logging. Unless you configure OAL, packets that require logging are processed completely in software on the MSFC. OAL permits or drops packets in hardware on the PFC3 and uses an optimized routine to send information to the MSFC3 to generate the logging messages.
OAL Guidelines and Restrictions
The following guidelines and restrictions apply to OAL:
OAL and VACL capture are incompatible. Do not configure both features on the switch. With OAL configured, use SPAN to capture traffic.
OAL is supported only on the PFC3.
OAL supports only IPv4 unicast packets.
OAL supports VACL logging of permitted ingress traffic
OAL does not provide hardware support for the following:
Reflexive ACLs
ACLs used to filter traffic for other features (for example, QoS)
ACLs for unicast reverse path forwarding (uRPF) check exceptions
Exception packets (for example, TTL failure and MTU failure)
Packets with IP options
Packets addressed at Layer 3 to the router
Packets sent to the MSFC3 to generate ICMP unreachable messages
Packets being processed by features not accelerated in hardware
To provide OAL support for denied packets, enter the mls rate-limit unicast ip icmp unreachable acl-drop 0 command.
Disable common IP services that can be exploited for network attacks 
