[cisco-bba] ACLs on Virtual-Access templates

Euan Galloway euang+cisco-bba at lists.eusahues.co.uk
Sun Feb 1 11:24:03 EST 2009


On Sat, Jan 31, 2009 at 10:58:49PM -0600, Frank Bulk wrote:
> Just to add to that, is there a way that the Virtual-interface that's doing
> the spoofing can be identified?  The log entries for the ACL hits don't show
> anything but the spoofed IP, but I don't know which connection is doing it.

log-input instead of log on the deny line of access-list 125 which matches 
the spoofed traffic?

For uRPF hits you already included the show int output which includes the 
counter which increments on each drop. i
Not checked how easily monitorable those are, but...
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_urpf_mib.html
implies that are least some of the RPF information is exposed via SNMP in 
recentish code. (I wonder if those appear if you use no virtual-template snmp 
for scalabilty).

--
Euan Galloway


More information about the cisco-bba mailing list