[c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)

Matthew Huff mhuff at ox.com
Sun May 31 12:36:49 EDT 2009 

Various types of switching optimization will prevent ACL logging. If you absolutely need to debug something, try putting "no ip route-cache" on the interface. This will reduce per packet performance and increase CPU utilization, but it will cause the log and log-input to work correctly. Be very careful with this is the interface has high packet utilization.





----
Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
Sent: Friday, May 29, 2009 9:54 AM
To: Seth Mattinen
Cc: cisco-nsp
Subject: Re: [c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)

On Thu, 7 May 2009, Jon Lewis wrote:

> I didn't think ACL logging worked in either direction on the 3550.  I ran 
> across something even more disturbing recently.  A customer had an apparently 
> compromised system found SSH scanning remote hosts.  I put a simple ACL on 
> the customer's layer 3 port (i.e. no switchport, ip address ...),
> ip access-list extended f0/48-in-acl
> deny   tcp any any eq 22
> permit ip any any
>
> int f0/48
> ip access-group f0/48-in-acl in
>
> According to netflow (on our 6500s upstream of the 3550s) some SSH scanning 
> traffic was still getting through...or remote hosts just happened to be 
> sending this customer tcp traffic from their port 22 to random high ports. 
> This is under 12.1(22)EA10b.  I haven't gotten around to testing this 
> further.

After further investigation (port monitoring), I've determined that the 
customer server is not sending ssh scan traffic anymore, but for some 
reason, one host in Ukraine is continuing to send it packets that look 
like malformed responses to an ssh session.

So, I'm going to blame this on a misbehaving host in Ukraine and not on 
the 3550's ACL failing to drop packets.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list