[c-nsp] Logging Connections
miroku
bundaberg440ml at gmail.com
Thu Dec 15 06:35:24 EST 2011
Hi all,
We are experiencing a bit of he said she said between a number of
different clients/service providers. The situation is a remote site
(lets say 40.40.40.40) is experiencing connectivity issues to a couple
of hosts within our infrastructure (lets say 10.0.1.10 and
10.0.2.10). I beleive that an upstream firewall is blocking certain
traffic from the host which is the cause of the problem, but the
firewall team claim otherwise. I would like to setup logging on our
infrastructure to see if we are receiving the packets . Whats the
best way to do this and would this have any impact to other hosts
within the SVI when the ACL is applied.
Our SVI is setup something like this (Active for HSRP) (its a 6500)
interface Vlan10
ip address 10.0.3.254 255.255.255.128 secondary
ip address 10.0.2.126 255.255.255.224 secondary
ip address 10.0.1.254 255.255.255.128
no ip redirects
standby 14 ip 10.0.1.129
standby 14 ip 10.0.2.97 secondary
standby 14 ip 10.0.3.129 secondary
standby 14 priority 130
standby 14 preempt delay minimum 60 sync 60
standby 14 authentication <password>
end
I would like to implement an extended access-list for logging would
this work and would it impact other hosts on the SVI when it is
applied as currently their is no ACL on the SVI.
#
ip access-list extended 100
permit ip host 40.40.40.40 host 10.0.1.10 log
permit ip host 40.40.40.40 host 10.0.2.10 log
permit ip any any
int vlan 10
ip access-group 100 out
Your comments would be greatly appreciated.
More information about the cisco-nsp
mailing list