[c-nsp] Logging Connections

Nick Hilliard nick at foobar.org
Wed Dec 28 08:30:52 EST 2011


On 27/12/2011 12:57, Manu Chao wrote:
> *Why not using following command on your SVI:*
> 
> *ip accounting output*-*packets*

Because that will trash the RP on the 6500.

It may be a better idea to use a RSPAN session to sniff ingress / egress
traffic on the physical ports in question.

Nick


> On Thu, Dec 15, 2011 at 12:35 PM, miroku <bundaberg440ml at gmail.com> wrote:
> 
>> Hi all,
>>
>> We are experiencing a bit of he said she said between a number of
>> different clients/service providers.  The situation is a remote site
>> (lets say 40.40.40.40) is experiencing connectivity issues to a couple
>> of hosts within our infrastructure (lets say 10.0.1.10 and
>> 10.0.2.10).  I beleive that an upstream firewall is blocking certain
>> traffic from the host which is the cause of the problem, but the
>> firewall team claim otherwise.  I would like to setup logging on our
>> infrastructure to see if we are receiving the packets .  Whats the
>> best way to do this and would this have any impact to other hosts
>> within the SVI when the ACL is applied.
>>
>> Our SVI is setup something like this (Active for HSRP) (its a 6500)
>> interface Vlan10
>>  ip address 10.0.3.254 255.255.255.128 secondary
>>  ip address 10.0.2.126 255.255.255.224 secondary
>>  ip address 10.0.1.254 255.255.255.128
>>  no ip redirects
>>  standby 14 ip 10.0.1.129
>>  standby 14 ip 10.0.2.97 secondary
>>  standby 14 ip 10.0.3.129 secondary
>>  standby 14 priority 130
>>  standby 14 preempt delay minimum 60 sync 60
>>  standby 14 authentication <password>
>> end
>>
>> I would like to implement an extended access-list for logging would
>> this work and would it impact other hosts on the SVI when it is
>> applied as currently their is no ACL on the SVI.
>> #
>>  ip access-list extended 100
>>  permit ip host 40.40.40.40 host 10.0.1.10 log
>>  permit ip host 40.40.40.40 host 10.0.2.10 log
>>  permit ip any any
>>  int vlan 10
>>  ip access-group 100 out
>>
>> Your comments would be greatly appreciated.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list