Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1830
Views
0
Helpful
7
Replies

Logging a specific port on a switch

willemvwyk
Level 1
Level 1

‎12-14-2007 04:14 AM - edited ‎03-05-2019 08:00 PM

Hello

I have a server which is serving secure web pages. However from time to time the websites stop responding, but the server is still working fine. This server only serves webpages for office members. (ie it's intranet, so no outside access allowed.)

I need to monitor the port of the server via my switch in order to see how many people access the site.

Am I correct by saying that I can set up and ACL to log access for port 443 and then apply it to the port the server connects to?

Thanks

willemvw

Labels:
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎12-14-2007 04:19 AM

Willemvm

Is it a layer or 3 port ?

If layer 3 yes apply in the outbound direction.

If layer 2 you need to apply it to the L3 interface for that subnet

ie.

access-list 101 permit tcp any host "server ip" eq 443 log

access-list 101 permit ip any any

under the L3 interface

ip access-group 101 out

HTH

Jon

0 Helpful

willemvwyk
Level 1
Level 1
In response to Jon Marshall

‎12-17-2007 09:51 PM

Hi Jon

Thank you for the response :)

The problem is that the traffic don't traverse a layer 3 device (in this case a router). So it means the server is connected straight to the switch (port G1/0/2) and this specific port is what I am trying to monitor for traffic on port 443.

Regards

willemvw

0 Helpful

Kevin Dorrell
Level 10
Level 10

‎12-14-2007 04:56 AM

Willem

It depends on the platform - each one has different limitations. For example, I have mainly 4500, and on this you can apply a layer-3/4 access list on a layer-2 switchport, with certain complicated restrictions, which I shall try and outline for you. In this context, they are known as "Port ACLs" or PACL. You can find the full text in

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ewa/configuration/guide/secure.html#wp1069182

The rules for a 4500 are, briefly:

1. You can only have one layer-3 ACL in each direction on any particular port.

2. There is generally no restriction on output PACLs

3. You cannot have an input PACL and a VLAN map on its VLAN at the same time. (If you try and put both, there are commands to determine which takes precedence.)

4. You cannot have an input ACL on a switchport, and an input ACL on the SVI of its VLAN.

See also http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ewa/configuration/guide/secure.html#wp1071413

I have used layer-3/4 IP input PACLs quite succesfully, even on a trunk switchport interface.

Kevin Dorrell

Luxembourg

0 Helpful

willemvwyk
Level 1
Level 1
In response to Kevin Dorrell

‎12-17-2007 09:55 PM

Hi Kevin

Thank you for your help :) The device I am using is a 3750 although I am reading through the URL's as they contain interesting points.

Do you think using a mac acl in my case will be useful?

As I mentioned to Jon, the web server is directly connected to the switch port. On this switch port I need to check for traffic on port 443.

Thank you

willemvw

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to willemvwyk

‎12-17-2007 11:45 PM

Willem,

I don't think a MAC ACL will help in this case because, AFAIK, MAC ACLs apply only to non-IP traffic. (I do know, however, that there are people on this board who disagree with me on that interpretation of the docs. So you could try it if you want to experiment.)

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm#wp1289554

"After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface."

Sadly, it seems that the 3750 does not support those PACLs I was telling you about. The best it can offer for your purposes, I think, is a VLAN access-map, or VACL. This will filter at layer-3 on the layer-2 bridge, but over the entire VLAN rather than on a single port. But I guess you could get what you want by carefully designing the ACL. Here is the reference:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm#wp1600210

Kevin Dorrell

Luxembourg

0 Helpful

willemvwyk
Level 1
Level 1
In response to Kevin Dorrell

‎12-19-2007 12:46 AM

Hi Kevin,

Thank you for your assistance :) I had a look at the MAC ACL's on the 3750 yesterday. They do not filter by port traffic (ie all traffic on port 443). So that has limited my options even more.

I am reading through your URL's and will see if I can create anything from them.

Thank you for all your help :)

regards

willemvw

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni

‎12-20-2007 07:11 AM

Hi,

What web server/service are you running (IIS, Apache, iPlanet) and in what platform (Windows, UNIX, LINUX, AIX)?

There are utilities in the internet to convert the logs to sort the source ip address and the port (i.e. 443) they are trying to access.

Check also the configured maximum number of concurrent connections of your web server/service. Anything else, it sound like a DDOS which bring down the web server/service but not the server.

Regards,

Dandy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card