[nsp] Cat3750G, IP ACL filtering

sthaug at nethelp.no sthaug at nethelp.no
Sat Mar 6 06:15:11 EST 2004


> To stop the scanning while still letting the machine fulfill its
> normal service, I try to setup an ACL, denying tcp/445.
> 
> interface GigabitEthernet1/0/6
>  no switchport
>  ip address 195.30.xx.xx 255.255.255.248
>  ip access-group 150 in
>  ip verify unicast reverse-path
>  ip route-cache flow
>  mdix auto
> end
> 
> access-list 150 deny   tcp host 195.30.xx.yy any eq 135
> access-list 150 deny   udp host 195.30.xx.yy any range netbios-ns netbios-dgm
> access-list 150 permit tcp any any established
> access-list 150 permit ip any any log

You haven't shown any tcp/445 included in this ACL. Mistake?

> I can see lots of traffic on the interface:
> 
>      99096 packets input, 6773292 bytes, 0 no buffer
> 
> ... but few-if-any hits on the ACL...
> 
> M15-Switch6#sh access-list 150
> Extended IP access list 150
>     deny tcp host 195.30.xx.yy any eq 135
>     deny udp host 195.30.xx.yy any range netbios-ns netbios-dgm (1969 matches)
>     permit tcp any any established
>     permit ip any any log
> 
> (those are all local windows broadcasts)

The experience from 3550 is that ACL counters do *not* work. You need
to check the actual traffic (with a sniffer, a software router where
counters *do* work, or similar) to see if the ACL is blocking what you
want it to block.

> ... and the flow cache is also not populated at all ("show ip cache flow"
> yields *no* output).

I don't believe 3750 (or 3550) will do this.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the cisco-nsp mailing list