Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

log-deny

Hi we are trying to secure the mgmt0 interface on our MDS:

MDS(config)# ip access-list mgmt permit tcp any any eq port telnet

MDS(config)# ip access-list mgmt permit tcp any any eq port ssh

MDS(config)# ip access-list mgmt permit tcp any any eq port http

MDS(config)# ip access-list mgmt permit udp any any eq port snmp

MDS(config)# ip access-list mgmt deny ip any any log-deny

MDS(config)# int mgmt0

MDS(config-if)# ip access-group mgmt in

When I try device manager, it won't open, it just hangs. I used ethereal to find what ports are used and I didn't see anything other than SNMP UDP 161 and HTTP TCP 80.

I added log-deny line.

But how do you view the log?!! I can't find it whatsoever

3 REPLIES
Cisco Employee

Re: log-deny

Which log are you referencing?

Below is a list of all ports used by the Fabric Manager applications:

Common to all applications

•SSH 22 (TCP)

•TELNET 23 (TCP)

•HTTP 80 (TCP)

•TFTP 69 (UDP)

•SYSLOG 514 (UDP)

Fabric Manager Server and Performance Manager

•SNMP_TRAP 2162 (UDP)

•SNMP picks a random free local port (UDP) - (can be changed in server.properties)

•Java RMI 9099, 9199 to 9299 (TCP)

Fabric Manager Client

•Java RMI 9099, 9199 to 9299 (TCP)

•SNMP picks a random free local port. (UDP) or 9189 (TCP) if SNMP proxy is enabled (can be changed in server.properties)

Device Manager

•SNMP_TRAP 1163 to 1170 (UDP) (picks one available in this range)

•SNMP picks a random free local port (UDP) or 9189 (TCP) if SNMP Proxy is enabled (can be changed in server.properties)

Re: log-deny

I'm talking about access-list log. There's a log-deny option for access-lists. It's supposed to log every packet that is deny, and show what protocol and port were denied. Configuration guide even shows the example of the output. But I can't find a "show logg", "debug" or some other show command to see this log.

Bronze

Re: log-deny

Messages will go to the logfile only if the logfile is set to correct log level. Try this (assuming name of your logfile is "messages",

mds(config)# logging logfile messages 7

mds(config)# logging level kernel 7

You should then see the deny messages in a "show log".

266
Views
5
Helpful
3
Replies
CreatePlease login to create content