ACL problem on Core Switch (Help)

Unanswered Question
Jun 25th, 2008

Need to check with your guys.

Recently, i applied one ACL statement to prevent 1 servers establish RDC(3389) to another server within same vlan.

It works pretty well. When i tried on 2 switches with diferrent IOS version:

1. Core Switch (s72033_rp Software (s72033_rp-IPSERVICES_WAN-M)Version 12.2(18)SXF7;

2. Access Switch Catalyst 4500 L3 Switch Software Version 12.2(31)SGA),

The problem occured when i added the keyword "log" behind the statement on Core Switch . It somehow let the RDC established the connection. If i removed the keyword "log", it will follow the ACL statement.

Below is the configuration for each switches:

Core Switch:

#

ip access-list extended testing

deny tcp host 10.30.100.33 host 10.30.100.36 eq 3389 log

permit ip any any

int gig7/8

ip access-group testing in

#

Access Switch:

#

ip access-list extended testing

deny tcp host 10.10.101.23 host 10.10.101.28 eq 3389 log

permit ip any any

int gig4/42

ip access-group testing in

#

I can found the log as below:

003267: Jun 26 11:25:07 SGT: %SEC-6-IPACCESSLOGP: list testing denied tcp 10.10.101.23(2196) -> 10.10.101.28(3389), 1 packet

Could somebody help to explain it? Is it a bug?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ashok_boin Wed, 06/25/2008 - 23:01

As the ACL Log option is just logging of matched packets with any of the rules in ACL, I don't think any problem with your configuration.

There should be two possibilities...

1. You might have multiple paths to reach the server & establishing connectivity successfully in another path.

2. Bug suspected by you

Did you see any log entry in the core switch exactly at the same time when you tried to reach server successfully with ACL Log option? You can try with conditional debug with "debug ip packet list " to see the packets from 10.10.101.23 to 10.10.101.28 & also in opposite direction in real time.

Regards...

-Ashok.

Surya Dathan Wed, 06/25/2008 - 23:56

Hi Ashok,

This is quite weird. As log as i removed the keyword "log" from my ACL statement. I am able to RDC.

It never show any log entry in core switch. Strange!

Actions

This Discussion