[nsp] Cat3750G, IP ACL filtering

Gert Doering gert at greenie.muc.de
Sat Mar 6 06:31:33 EST 2004 

Hi,

On Sat, Mar 06, 2004 at 12:15:11PM +0100, sthaug at nethelp.no wrote:
> > To stop the scanning while still letting the machine fulfill its
> > normal service, I try to setup an ACL, denying tcp/445.
> > 
> > interface GigabitEthernet1/0/6
> >  no switchport
> >  ip address 195.30.xx.xx 255.255.255.248
> >  ip access-group 150 in
> >  ip verify unicast reverse-path
> >  ip route-cache flow
> >  mdix auto
> > end
> > 
> > access-list 150 deny   tcp host 195.30.xx.yy any eq 135
> > access-list 150 deny   udp host 195.30.xx.yy any range netbios-ns netbios-dgm
> > access-list 150 permit tcp any any established
> > access-list 150 permit ip any any log
> 
> You haven't shown any tcp/445 included in this ACL. Mistake?

Actually the ACLs are a bit out of sync - this ACL was put in place 
before i knew that it was tcp/445, I assumed "bug of the week" was 
tcp/135.

But it demonstrates the issue nonetheless: no matches at all on all lines
besides "netbios-ns", while it should at least match the "permit ip any any"
line (and *tell* me what sort of packets we have).

[..]
> > M15-Switch6#sh access-list 150
> > Extended IP access list 150
> >     deny tcp host 195.30.xx.yy any eq 135
> >     deny udp host 195.30.xx.yy any range netbios-ns netbios-dgm (1969 matches)
> >     permit tcp any any established
> >     permit ip any any log
> > 
> > (those are all local windows broadcasts)
> 
> The experience from 3550 is that ACL counters do *not* work. You need
> to check the actual traffic (with a sniffer, a software router where
> counters *do* work, or similar) to see if the ACL is blocking what you
> want it to block.

Ok.

*Reworking the ACL*

Amazing (and thanks for the hint - I owe you a beer):

M15-Switch6#sh access-list 150
Extended IP access list 150
    deny tcp host 195.30.xx.yy any eq 135
    deny tcp host 195.30.xx.yy any eq 445 (672 matches)
    deny udp host 195.30.xx.yy any range netbios-ns netbios-dgm
    permit tcp any any established
    permit ip any any

the *deny* entries actually work, and *do* count the packets.

With "deny tcp host ... any eq 445 log", I can even see the denied 
packets in detail.

While that's a bit more intrusive than I'd like it to be (we prefer to
start looking for scans with "permit ip any any log") it will do the job.


> > ... and the flow cache is also not populated at all ("show ip cache flow"
> > yields *no* output).
> I don't believe 3750 (or 3550) will do this.

Bah.  "No way to figure out non-intrusively what sort of packets are
coming in from a given port" (except going via SPAN, but that's not
so easy if you have multiple switches and not all of them support RSPAN).

Again, thanks a lot for your quick help,

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list