[nsp] Cat3750G, IP ACL filtering
sthaug at nethelp.no
sthaug at nethelp.no
Sat Mar 6 06:15:11 EST 2004
> To stop the scanning while still letting the machine fulfill its
> normal service, I try to setup an ACL, denying tcp/445.
>
> interface GigabitEthernet1/0/6
> no switchport
> ip address 195.30.xx.xx 255.255.255.248
> ip access-group 150 in
> ip verify unicast reverse-path
> ip route-cache flow
> mdix auto
> end
>
> access-list 150 deny tcp host 195.30.xx.yy any eq 135
> access-list 150 deny udp host 195.30.xx.yy any range netbios-ns netbios-dgm
> access-list 150 permit tcp any any established
> access-list 150 permit ip any any log
You haven't shown any tcp/445 included in this ACL. Mistake?
> I can see lots of traffic on the interface:
>
> 99096 packets input, 6773292 bytes, 0 no buffer
>
> ... but few-if-any hits on the ACL...
>
> M15-Switch6#sh access-list 150
> Extended IP access list 150
> deny tcp host 195.30.xx.yy any eq 135
> deny udp host 195.30.xx.yy any range netbios-ns netbios-dgm (1969 matches)
> permit tcp any any established
> permit ip any any log
>
> (those are all local windows broadcasts)
The experience from 3550 is that ACL counters do *not* work. You need
to check the actual traffic (with a sniffer, a software router where
counters *do* work, or similar) to see if the ACL is blocking what you
want it to block.
> ... and the flow cache is also not populated at all ("show ip cache flow"
> yields *no* output).
I don't believe 3750 (or 3550) will do this.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the cisco-nsp
mailing list