[c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)

Jon Lewis jlewis at lewis.org
Thu May 7 20:21:48 EDT 2009


On Thu, 7 May 2009, Seth Mattinen wrote:

>> Ingress logging works fine.  Egress logging is nonexistent.  Not just
>> dropping the occasional ones, but entirely nonexistent.  The egress
>> filtering (by the ACL) works, it just doesn't log.
>>
>> I have known for some time that ACL counters are borked on most
>> lower-end Catalysts, but I thought ACL logging worked.
>>
>> It doesn't appear to be a known bug, but then my searching abilities may
>> be lacking.
>>
>> Bug or feature?
>>
>
> Never personally expected it to work when it's not hitting the CPU.

I didn't think ACL logging worked in either direction on the 3550.  I ran 
across something even more disturbing recently.  A customer had an 
apparently compromised system found SSH scanning remote hosts.  I put a 
simple ACL on the customer's layer 3 port (i.e. no switchport, ip address 
...),
ip access-list extended f0/48-in-acl
  deny   tcp any any eq 22
  permit ip any any

int f0/48
  ip access-group f0/48-in-acl in

According to netflow (on our 6500s upstream of the 3550s) some SSH 
scanning traffic was still getting through...or remote hosts just happened 
to be sending this customer tcp traffic from their port 22 to random high 
ports.  This is under 12.1(22)EA10b.  I haven't gotten around to testing 
this further.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the cisco-nsp mailing list