[c-nsp] Logging Problem - Access Lists - GSR

Tue Jan 23 09:45:52 EST 2007

cisco-nsp-bounces at puck.nether.net <> wrote on Tuesday, January 23, 2007
3:01 PM:

> Hi there...
> 
> We brought up a GSR a little while back and I finally got
> around to putting
> some access-lists on BGP interfaces... little later than I
> should be.. but anyways...
> 
> I have the following:
> 
> core1-rtr-mb#sh access-lists 150
> Extended IP access list 150
>     deny ip xxx.xxx.xxx.0 0.0.31.255 any log-input (26 matches)
>     deny ip yyy.yyy.yyy.0 0.0.31.255 any log-input (8 matches)
>     permit ip any any (1038288538 matches)
> 
> 
> I wanted the log-input to tell me which interface it sees
> spoofed packets on
> but I get the following:
> 
> SLOT 7:Jan 23 06:18:02: %SEC-6-IPACCESSLOGP: list 150 denied udp
> 216.168.124.162(0) (FastEthernet5 ) -> 216.168.124.162(0), 1 packet
> SLOT 5:Jan 23 06:32:13: %SEC-6-IPACCESSLOGP: list 150 denied udp
> 66.79.239.237(0) (GigabitEthernet0 ) -> 66.79.239.237(0), 1 packet
> SLOT 5:Jan 23 07:01:22: %SEC-6-IPACCESSLOGP: list 150 denied udp
> 216.168.107.12(0) (GigabitEthernet0 ) -> 216.168.107.12(0), 1 packet
> SLOT 5:Jan 23 07:57:22: %SEC-6-IPACCESSLOGP: list 150 denied udp
> 216.168.107.12(0) (GigabitEthernet0 ) -> 216.168.107.12(0), 1 packet
> SLOT 5:Jan 23 08:08:08: %SEC-6-IPACCESSLOGP: list 150 denied udp
> 216.168.115.15(0) (GigabitEthernet0 ) -> 216.168.115.15(0), 1 packet
> SLOT 7:Jan 23 08:13:01: %SEC-6-IPACCESSLOGDP: list 150 denied icmp
> 66.79.234.100 (FastEthernet1 ) -> 66.79.234.100 (0/0), 1 packet
> 
> These are not valid interface names.. is this confirmation or
> a bug in IOS??

but you have FastEthernet7/1 and GigabitEthernet5/0 (for example) in
your chassis, I reckon?

The problem could be that the logging messages are issued by the LC CPU
(as shown via the "SLOT <n>" prefix), and the IOS on the LC CPU
apparently uses the locally significant interface name (without the slot
argument) in the logging output.. looks like a bug. 

	oli