[c-nsp] nexus logging L3 ACL and mac source ?
Gert Doering
gert at greenie.muc.de
Fri Jun 28 07:19:32 EDT 2013
Hi,
On Fri, Jun 28, 2013 at 10:58:50AM +0100, Tóth András wrote:
> Manually looking at the MAC/ARP table is not flawed much more than relying
> on ACL logging to print out the MAC because if it comes through a router,
> both will display the router MAC anyway.
That's the misunderstanding, that the MAC/ARP table will help you find
the router MAC - it won't, unless you already know the router it's coming
from.
More verbose example:
sender PC ---------- Router A ----eth---- Router B
IP 1.1.1.1 10.0.0.1 10.0.0.2
(with a "large enough" ethernet, having more than just A and B connected
to it)
In router B, I have an ACL that says, for example
deny tcp any any eq 23 log-input
so I can see if someone fingers my routers. The ACL logs
"source = 1.1.1.1, destination = 10.0.0.2, source interface = facing A"
so how, exactly, do I find that the packet came in from Router A?
For bonus points, assume that B has multiple possible paths to 1.1.1.1,
so assuming "it will come from the router where I would send the response
packet to" does not hold.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20130628/a48fab91/attachment.sig>
More information about the cisco-nsp
mailing list