C2960X in L3 mode doesn't log ACL deny packets.

dtango2010 · ‎07-05-2017

Hello,

I'm using stack of two C2960X in L3 mode:

ZZZ-L3#sh sdm prefer
The current template is "lanbase-routing" template.

I have two Vlans and I need to block traffic between them. The problem is the second vlan is located on the other switch.

So Here is my setup:

LAN (VLAN1)--[ZZZ-L3]--trunk port--[YYY-L2]-- Vlan10

ip routing
no ip cef optimize neighbor resolution
...
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip proxy-arp
end

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 111 out
no ip redirects
no ip proxy-arp
end

ZZZ-L3#sh access-lists 111
Extended IP access list 111
10 permit tcp host 192.168.1.50 host 192.168.10.50 eq 4899
20 deny ip any any log

ZZZ-L33#sh ver

...
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
1 28 WS-C2960X-24TS-L 15.2(2)E6 C2960X-UNIVERSALK9-M
* 2 28 WS-C2960X-24TS-L 15.2(2)E6 C2960X-UNIVERSALK9-M

I can confirm that ACL works:

RDP from 192.168.1.50 to 192.168.10.50 works OK.

And, If I ping 192.168.1.50 from 192.168.10.50 I receive "Request timed out."

However, I don't see any "%SEC-6-IPACCESSLOGDP: list 111 denied " in the log on the switch.

The other strange thing is that if I ping IP that doesn't exist in subnet 192.168.10.x - for example 192.168.10.60

First: I receive "Destination net ureachable" , but not a "Request timed out.".

Second: Deny log message shows up in the log:

%SEC-6-IPACCESSLOGDP: list 111 denied icmp 192.168.1.50 -> 192.168.10.60 (8/0), 1 packet

One more thing, If I define switch port in VLAN 10 on ZZZ-L3 and connect 192.168.10.50 directly to ZZZ-L3,

then "%SEC-6-IPACCESSLOGDP: list 111 denied" is starting shows up int the log.

Any idea about such a strange behavior?

Thank you in advance,

Alex.

Julio E. Moisa · ‎07-05-2017

Hi

You could see the hits executing:

Show access-list <name or number>

Now you could enable:

logging trap 5 or 6
logging buffered 5 or 6

5 is notifications and 6 is informational.

Also you could try with log-input, example:

access-list 100 deny ip any any log-input

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

dtango2010 · ‎07-05-2017

Hello,

>sh access-lists 111

I see no hints

>logging buffered 8192 debug

this didn't help.

>logging trap 6

I thought it's related to syslog server configuration , but I'll check this first thing in the morning.

>access-list 100 deny ip any any log-input

The same effect - this didn't help.

Could my problem be related to CEF ?

KR,

Alex

Julio E. Moisa · ‎07-05-2017

Hi Alex,

could you please share the show access-list 111 output?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

dtango2010 · ‎07-06-2017

Ok, I think I found a root cause.
So, I have applied two filters to Vlan interface - one for input and one for output.
I can log packets using input filter (ACL 115) but not output filter (ACL 111)!

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 111 out
ip access-group 115 in
no ip redirects
no ip proxy-arp
end

ZZZ-L3#sh access-lists 115
Extended IP access list 115
10 permit ip any any (36 matches)
ZZZ-L3#

Here are a few links bellow:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/vacl.pdf
http://www.networkstraining.com/traffic-filtering-cisco-layer3-switch-vacl/

As I understood, the best practice is to apply "in" filter but not an "out" filter for such kind filtering.

My guess now is: If a packet has left Vlan interface it can be permitted/blocked, but can't be marked by ACL counters.
Could this idea be true?
Thks,
Alex

paul driver · ‎07-06-2017

Hello

access-list 111 permit ip any any log
access-list 115 permit ip any any log

That should capture in/out traffic hitting the ACL

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎07-06-2017

Hello

Just tested it...

access-list 111 permit ip any any log
access-list 115 permit ip any any log

sh logging | in level
    Console logging: level debugging, 73 messages logged, xml disabled,
    Monitor logging: level debugging, 0 messages logged, xml disabled,
    Buffer logging: level debugging, 73 messages logged, xml disabled,
    Trap logging: level informational, 71 message lines logged

interface VlanX/X
ip access-group 111 in
ip access-group 115 out

sh access-lists
Extended IP access list 111
    20 permit ip any any log (305149 matches)
Extended IP access list 115
    10 permit ip any any log (211566 matches)

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dtango2010 · ‎07-06-2017

Paul,

Thks for testing!

What is the switch model and IOS that you used for this test ?

KR,

Alex.

dtango2010 · ‎07-07-2017

Paul,
Thank you for your time.
I'm going to either create a ticket with TAC or simply close the topic.

Confirm, If I use standalone C2960X switch in L3 mode then logging for "out ACL" works.

However, In my case, I'm using the stack.

Also, I was able reproduce the same issue with the other L3 stack I have.
So, In a few words:

I'm using a stack of 2xC2960X in L3 mode (sdm prefer lanbase-routing)

For me, Logging doesn't work for out ACL (but ACL itself works), and again, I tend to think that this is related to how L3 traffic goes thru stack / vlan.

C2960X with lan-based IOS in L3 mode is not widely used (especially in stack), so may be this is why this was not reported before.

And yes, let's call this "a feature".

Thks,

Alex.

dtango2010 · ‎07-06-2017

Hello,

ZZZ-L3#sh access-lists 111
Extended IP access list 111
10 permit tcp host 192.168.1.50 host 192.168.10.50 eq 4899
20 deny ip any any log (4 matches)
ZZZ-L3#

"4 matches" was about IPs that do not exist in subnet 192.168.10.x.

Julio E. Moisa · ‎07-06-2017

Hi

If you wan to allow or deny traffic from the subnet associated to the vlan, it should be IN, and the external traffic going to your vlan should be OUT.

Example:

*imagine the vlan 10 has the subnet 192.168.1.0/24

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip any 192.168.1.0 0.0.0.255

interface vlan 10
access-group 100 in
access-group 101 out

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

dtango2010 · ‎07-06-2017

Hello Julio,.

Thank you for quick response.

Yes, I understands how to control traffic from / to the subnet associated to the vlan. Passed my CCNP a 5 years ago :).

What I'm trying to say (in a few words) is that the ACL is not showing matches for ACL attached to OUT "filter", and as aside effect I see no messages in the log for "deny ip any any log" rule.

KR,

Aleks.

Julio E. Moisa · ‎07-06-2017

Hi,

Try to include these command:

logging on

no logging console
logging buffered informational
logging buffered 16000

ip access-list logging interval interval-in-ms

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

dtango2010 · ‎07-06-2017

Hi,

What interval would you recommend to log as much as possible?

Thks!

Julio E. Moisa · ‎07-06-2017

Hi

1 second = 1000 miliseconds, You could configure for testing 1000 ms.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<