[c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
Jon Lewis
jlewis at lewis.org
Thu May 7 20:21:48 EDT 2009
On Thu, 7 May 2009, Seth Mattinen wrote:
>> Ingress logging works fine. Egress logging is nonexistent. Not just
>> dropping the occasional ones, but entirely nonexistent. The egress
>> filtering (by the ACL) works, it just doesn't log.
>>
>> I have known for some time that ACL counters are borked on most
>> lower-end Catalysts, but I thought ACL logging worked.
>>
>> It doesn't appear to be a known bug, but then my searching abilities may
>> be lacking.
>>
>> Bug or feature?
>>
>
> Never personally expected it to work when it's not hitting the CPU.
I didn't think ACL logging worked in either direction on the 3550. I ran
across something even more disturbing recently. A customer had an
apparently compromised system found SSH scanning remote hosts. I put a
simple ACL on the customer's layer 3 port (i.e. no switchport, ip address
...),
ip access-list extended f0/48-in-acl
deny tcp any any eq 22
permit ip any any
int f0/48
ip access-group f0/48-in-acl in
According to netflow (on our 6500s upstream of the 3550s) some SSH
scanning traffic was still getting through...or remote hosts just happened
to be sending this customer tcp traffic from their port 22 to random high
ports. This is under 12.1(22)EA10b. I haven't gotten around to testing
this further.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list