[c-nsp] Logging Connections

Manu Chao linux.yahoo at gmail.com
Tue Dec 27 07:57:36 EST 2011


*Why not using following command on your SVI:*

*ip accounting output*-*packets*

On Thu, Dec 15, 2011 at 12:35 PM, miroku <bundaberg440ml at gmail.com> wrote:

> Hi all,
>
> We are experiencing a bit of he said she said between a number of
> different clients/service providers.  The situation is a remote site
> (lets say 40.40.40.40) is experiencing connectivity issues to a couple
> of hosts within our infrastructure (lets say 10.0.1.10 and
> 10.0.2.10).  I beleive that an upstream firewall is blocking certain
> traffic from the host which is the cause of the problem, but the
> firewall team claim otherwise.  I would like to setup logging on our
> infrastructure to see if we are receiving the packets .  Whats the
> best way to do this and would this have any impact to other hosts
> within the SVI when the ACL is applied.
>
> Our SVI is setup something like this (Active for HSRP) (its a 6500)
> interface Vlan10
>  ip address 10.0.3.254 255.255.255.128 secondary
>  ip address 10.0.2.126 255.255.255.224 secondary
>  ip address 10.0.1.254 255.255.255.128
>  no ip redirects
>  standby 14 ip 10.0.1.129
>  standby 14 ip 10.0.2.97 secondary
>  standby 14 ip 10.0.3.129 secondary
>  standby 14 priority 130
>  standby 14 preempt delay minimum 60 sync 60
>  standby 14 authentication <password>
> end
>
> I would like to implement an extended access-list for logging would
> this work and would it impact other hosts on the SVI when it is
> applied as currently their is no ACL on the SVI.
> #
>  ip access-list extended 100
>  permit ip host 40.40.40.40 host 10.0.1.10 log
>  permit ip host 40.40.40.40 host 10.0.2.10 log
>  permit ip any any
>  int vlan 10
>  ip access-group 100 out
>
> Your comments would be greatly appreciated.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list