[c-nsp] nexus logging L3 ACL and mac source ?

Tóth András diosbejgli at gmail.com
Fri Jun 28 18:09:30 EDT 2013


Hi,

Point taken, indeed. However unfortunately I'm not aware of the ability to
see MAC address with ACL logs.

Honestly, it took a few years to get those two bugs fixed, mostly because
Cisco considered them enhancement requests (that you can't see the ACL name
and whether it's permit or deny).

Andras



On Fri, Jun 28, 2013 at 12:19 PM, Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> On Fri, Jun 28, 2013 at 10:58:50AM +0100, Tóth András wrote:
> > Manually looking at the MAC/ARP table is not flawed much more than
> relying
> > on ACL logging to print out the MAC because if it comes through a router,
> > both will display the router MAC anyway.
>
> That's the misunderstanding, that the MAC/ARP table will help you find
> the router MAC - it won't, unless you already know the router it's coming
> from.
>
> More verbose example:
>
>
>  sender PC   ---------- Router A  ----eth---- Router B
>  IP 1.1.1.1             10.0.0.1              10.0.0.2
>
> (with a "large enough" ethernet, having more than just A and B connected
> to it)
>
> In router B, I have an ACL that says, for example
>
>   deny tcp any any eq 23 log-input
>
> so I can see if someone fingers my routers.  The ACL logs
>
>   "source = 1.1.1.1, destination = 10.0.0.2, source interface = facing A"
>
> so how, exactly, do I find that the packet came in from Router A?
>
>
> For bonus points, assume that B has multiple possible paths to 1.1.1.1,
> so assuming "it will come from the router where I would send the response
> packet to" does not hold.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>


More information about the cisco-nsp mailing list