[nsp] Cat3750G, IP ACL filtering

Lincoln Dale ltd at cisco.com
Sun Mar 7 09:20:45 EST 2004 

Hi Gert,

i don't work within any ethernet switching group (i could help you out no 
end with Fibre Channel :) ), but can perhaps provide some helpful pointers 
on what you're seeing.

moving forward, yes i believe that many IOS commands should become 
"invalid" for the c3750, just as a similar thing has been done for the 
c4500 where there are 'features' for software-based router/switch platforms 
which aren't applicable for hardware-based switch platforms.  (or: dropping 
switching down to software from hardware isn't really what you'd want..).

regarding your configuration:

At 09:53 PM 6/03/2004, Gert Doering wrote:
>To stop the scanning while still letting the machine fulfill its
>normal service, I try to setup an ACL, denying tcp/445.
>
>interface GigabitEthernet1/0/6
>  no switchport
>  ip address 195.30.xx.xx 255.255.255.248
>  ip access-group 150 in
>  ip verify unicast reverse-path

>  ip route-cache flow

i don't believe that "ip route-cache flow" will be valid for the catalyst 3750.
it is performing Layer 3 switching in hardware using CEF (RIB/FIB) in hardware.

i don't believe the architecture of the c3750 supports Netflow, with the 
possible exception of catalyst 3750 models that support MPLS on the uplink 
ports.  (and even then i'm not familiar with the product range to say 
whether /those/ do or not).


>  mdix auto
>end
>
>access-list 150 deny   tcp host 195.30.xx.yy any eq 135

i presume you actually meant "eq 145" here ?

>access-list 150 deny   udp host 195.30.xx.yy any range netbios-ns netbios-dgm

i don't know how efficient various ACL parsers are, but you may be better 
off not using a 'range' keyword on an ACL.
this may or may not be a problem, but previous "best practice" i've used 
has been to avoid 'range' on h/w based products.

>access-list 150 permit tcp any any established
>access-list 150 permit ip any any log

i'm sure you /really/ don't mean "log" on the end here.
i quite sure that "log" would be supported on a h/w-based platform -- and 
if it is, it would be likely to kill the box, depending on traffic-rate.

>... but obviously the 3750G is another Cisco masterpiece: accept all the
>normal commands, but blissfully ignore them.

i'd suggest that you open a TAC case on that - and then there is a record 
of the fact that a whole bunch of IOS commands are accepted -- but not 
implemented (for good reason) -- but should never be accepted in the first 
place.

>Anyway.  There must be a way to filter "junk" packets on the 3750G as
>well.  Any recommendations *how* to do this?  Using QoS/MCQ classes?

normal ACLs should do the job just fine.
i'm guessing this is (was?) due to matching tcp/135 and not tcp/145.


cheers,

lincoln.

More information about the cisco-nsp mailing list