Logging a specific port on a switch

Unanswered Question
Dec 14th, 2007
User Badges:

Hello


I have a server which is serving secure web pages. However from time to time the websites stop responding, but the server is still working fine. This server only serves webpages for office members. (ie it's intranet, so no outside access allowed.)


I need to monitor the port of the server via my switch in order to see how many people access the site.


Am I correct by saying that I can set up and ACL to log access for port 443 and then apply it to the port the server connects to?


Thanks

willemvw

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 12/14/2007 - 04:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Willemvm


Is it a layer or 3 port ?


If layer 3 yes apply in the outbound direction.


If layer 2 you need to apply it to the L3 interface for that subnet


ie.


access-list 101 permit tcp any host "server ip" eq 443 log

access-list 101 permit ip any any


under the L3 interface


ip access-group 101 out


HTH


Jon

willemvwyk Mon, 12/17/2007 - 21:51
User Badges:

Hi Jon


Thank you for the response :)


The problem is that the traffic don't traverse a layer 3 device (in this case a router). So it means the server is connected straight to the switch (port G1/0/2) and this specific port is what I am trying to monitor for traffic on port 443.


Regards

willemvw

Kevin Dorrell Fri, 12/14/2007 - 04:56
User Badges:
  • Green, 3000 points or more

Willem


It depends on the platform - each one has different limitations. For example, I have mainly 4500, and on this you can apply a layer-3/4 access list on a layer-2 switchport, with certain complicated restrictions, which I shall try and outline for you. In this context, they are known as "Port ACLs" or PACL. You can find the full text in


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ewa/configuration/guide/secure.html#wp1069182


The rules for a 4500 are, briefly:


1. You can only have one layer-3 ACL in each direction on any particular port.

2. There is generally no restriction on output PACLs

3. You cannot have an input PACL and a VLAN map on its VLAN at the same time. (If you try and put both, there are commands to determine which takes precedence.)

4. You cannot have an input ACL on a switchport, and an input ACL on the SVI of its VLAN.


See also http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ewa/configuration/guide/secure.html#wp1071413


I have used layer-3/4 IP input PACLs quite succesfully, even on a trunk switchport interface.


Kevin Dorrell

Luxembourg


willemvwyk Mon, 12/17/2007 - 21:55
User Badges:

Hi Kevin


Thank you for your help :) The device I am using is a 3750 although I am reading through the URL's as they contain interesting points.


Do you think using a mac acl in my case will be useful?


As I mentioned to Jon, the web server is directly connected to the switch port. On this switch port I need to check for traffic on port 443.


Thank you

willemvw

Kevin Dorrell Mon, 12/17/2007 - 23:45
User Badges:
  • Green, 3000 points or more

Willem,


I don't think a MAC ACL will help in this case because, AFAIK, MAC ACLs apply only to non-IP traffic. (I do know, however, that there are people on this board who disagree with me on that interpretation of the docs. So you could try it if you want to experiment.)


http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm#wp1289554


"After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface."


Sadly, it seems that the 3750 does not support those PACLs I was telling you about. The best it can offer for your purposes, I think, is a VLAN access-map, or VACL. This will filter at layer-3 on the layer-2 bridge, but over the entire VLAN rather than on a single port. But I guess you could get what you want by carefully designing the ACL. Here is the reference:


http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm#wp1600210


Kevin Dorrell

Luxembourg


willemvwyk Wed, 12/19/2007 - 00:46
User Badges:

Hi Kevin,


Thank you for your assistance :) I had a look at the MAC ACL's on the 3750 yesterday. They do not filter by port traffic (ie all traffic on port 443). So that has limited my options even more.


I am reading through your URL's and will see if I can create anything from them.


Thank you for all your help :)


regards

willemvw

Danilo Dy Thu, 12/20/2007 - 07:11
User Badges:
  • Blue, 1500 points or more

Hi,


What web server/service are you running (IIS, Apache, iPlanet) and in what platform (Windows, UNIX, LINUX, AIX)?


There are utilities in the internet to convert the logs to sort the source ip address and the port (i.e. 443) they are trying to access.


Check also the configured maximum number of concurrent connections of your web server/service. Anything else, it sound like a DDOS which bring down the web server/service but not the server.


Regards,

Dandy

Actions

This Discussion