ACL problem on Core Switch (Help)

Unanswered Question
Jun 25th, 2008
User Badges:

Need to check with your guys.


Recently, i applied one ACL statement to prevent 1 servers establish RDC(3389) to another server within same vlan.


It works pretty well. When i tried on 2 switches with diferrent IOS version:


1. Core Switch (s72033_rp Software (s72033_rp-IPSERVICES_WAN-M)Version 12.2(18)SXF7;


2. Access Switch Catalyst 4500 L3 Switch Software Version 12.2(31)SGA),



The problem occured when i added the keyword "log" behind the statement on Core Switch . It somehow let the RDC established the connection. If i removed the keyword "log", it will follow the ACL statement.


Below is the configuration for each switches:


Core Switch:

#

ip access-list extended testing

deny tcp host 10.30.100.33 host 10.30.100.36 eq 3389 log

permit ip any any


int gig7/8

ip access-group testing in

#


Access Switch:

#

ip access-list extended testing

deny tcp host 10.10.101.23 host 10.10.101.28 eq 3389 log

permit ip any any


int gig4/42

ip access-group testing in

#

I can found the log as below:

003267: Jun 26 11:25:07 SGT: %SEC-6-IPACCESSLOGP: list testing denied tcp 10.10.101.23(2196) -> 10.10.101.28(3389), 1 packet


Could somebody help to explain it? Is it a bug?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ashok_boin Wed, 06/25/2008 - 23:01
User Badges:
  • Bronze, 100 points or more

As the ACL Log option is just logging of matched packets with any of the rules in ACL, I don't think any problem with your configuration.


There should be two possibilities...


1. You might have multiple paths to reach the server & establishing connectivity successfully in another path.


2. Bug suspected by you


Did you see any log entry in the core switch exactly at the same time when you tried to reach server successfully with ACL Log option? You can try with conditional debug with "debug ip packet list " to see the packets from 10.10.101.23 to 10.10.101.28 & also in opposite direction in real time.


Regards...

-Ashok.

Surya Dathan Wed, 06/25/2008 - 23:56
User Badges:

Hi Ashok,


This is quite weird. As log as i removed the keyword "log" from my ACL statement. I am able to RDC.


It never show any log entry in core switch. Strange!

Actions

This Discussion