I have been tasked with securing a SCADA LAN with many devices/app's that need to talk outside of this subnet. I thought that an easy way to build the ACL would be to use an ACL like "permit ip any any log" and then slowly add the lines as they appear in the logs. The problem is that this list only produces statements in the logs that show IP and protocol and not port. See below:
SEC-6-IPACCESSLOGP: list 100 permitted udp a.b.c.d(0) -> 220.127.116.11(0)
I tuned it further by doing this:
permit udp any any log
permit tcp any any log
This had the exact same results. Only port 0.
This is on a 1760 router running 123-7.T9
Can anyone tell me what I am doing wrong? Maybe it is just not possible to do this with a permit statement?
The log keyword, causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets.
When access lists are configured with the log-input keyword, tcp/udp ports are only displayed when the processing of the access lists requires the port number to be extracted for comparison. If the port is not required, the log messages will display 0 as the port number. The log is expected to report the port number if and only if a port number is mentioned in the ACL.
Thanks for the replies guys. The TAC said the reason that the port numbers weren't showing up was because I did not have any port numbers in the same statement as the log. Putting in just one port number, even if it is a port you will never use, acts like a switch and activates port number display for everything.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...