cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1486
Views
0
Helpful
8
Replies

Basic ACL question:is it possible to log only 1st packet per event?

news2010a
Level 3
Level 3

Hi, imagine I just want to find out which IP addresses are using trying to hit my server network on port 80.

If my syslog server is limited in storage, I am wondering whether I could just log the first packet from a given source and target IP address. Then once I learn what IP address that is, there is no need for me to log that event again showing the same IP.

Is that action possible?

I attempted to use the command in red below, but I read the document and tested and that is not what I am looking for.

R2#

ip access-list extended WATCH_PROTOCOL
permit tcp any any eq www log
permit ip any any
ip access-list log-update threshold 10
logging history size 500
logging 192.168.1.2
!
line con 0
line aux 0
line vty 0 4
!
!
end

R2#
*Dec 16 04:52:22.923 UTC: %SEC-6-IPACCESSLOGP: list WATCH_PROTOCOL permitted tcp
192.168.1.1(11019) -> 192.168.1.2(80), 1 packet
*Dec 16 04:52:27.047 UTC: %SEC-6-IPACCESSLOGP: list WATCH_PROTOCOL permitted tcp
192.168.1.1(11020) -> 192.168.1.2(80), 1 packet

8 Replies 8

jjunginger
Level 1
Level 1

If your requirement is to determine which hosts are contacting your server on port 80, there are a couple of ways to tackle it.  Since http is tcp based, you could write an ACL that would only match packets with the TCP SYN flag (0x2) set.  This would only log the first packet, but would log it for every subsequent connection from every source to every destination on the server segment.

A more elegant approach may be to use NetFlow to capture metadata about this traffic and use some of the reporting tools to pull out the information you need.  Take another look at the links below:

Configuring Netflow (12.2 Mainline):
http://www.cisco.com/en/US/docs/ios/12_2/switch/configuration/guide/xcfnfc.html


flow-tools (to analyze netflow data):
ftp://ftp.eng.oar.net/pub/flow-tools/flow-tools-0.66.tar.gz

Powerpoint tying the two together:
http://ws.edu.isoc.org/workshops/2008/apricot2008/netmanage/presos/netflow/apricot-flow-tools-slides.ppt

I hope this helps,

Thank you. I forgot to mention that I also need to verify port 3389 (Microsoft RDP thing) and telnet.

So according to your suggestion, http syn = 0x2.


Does the ACL to verify first HTTP hit should look like the below?

I'd appreciate if you can point me to the syn code to do the same with 3389 and telnet. I guess it would take me few days to master Netflow and there is a time constraint at this time so I need to keep this as simple as possible for now.

R1(config-ext-nacl)#permit tcp any any syn eq 0x2
R1#show access-list
Extended IP access list WATCH_PROTOCOL
    permit tcp any any eq 2 syn
R1#

Update:I tried the syn = 0x2 ACL as shown above and in my test, if I hit the ACL multiple times from a given client,  I continue to log multiple instances.

If you absolutely must use an ACL for http(tcp/80),telnet(tcp/23),rdp(tcp/3389, it would be written as follows:

access-list 100 permit tcp any any eq www syn log
access-list 100 permit tcp any any eq telnet syn log
access-list 100 permit tcp any any eq 3389 syn log

If you apply this outbound on the routed interface of your server VLAN, this will log the first packet (TCP SYN packet) of EVERY TCP connection for these three ports.  This means that you will get duplicate entries if a client initiates more than one TCP session to the server, but this will log the least amount of data per connection using an ACL.

Also, it would behoove you to read the following document (well worth the 60-90 minute time investment):

http://www.ietf.org/rfc/rfc0793.txt

One nuance about what you said:

Imagine my clients are being routed via a SVI, int vlan 100 let's say. Such gateway between client and server vlan is a 4507.

At that point, do you know if I should apply this access-list as:

int vlan 100

ip access-group 100 in

(...)

I mean, I just want to make sure the SVI also accepts the concept of "inbound" or given that is a SVI I should apply both "inbound and outbound". I think I heard something about that in the past, but I can't remember.

Thanks again for all your help.

config t

int vlan100

ip access-group 100 out

Don't forget to permit ip any any at the end (without log statement)

Eh, eh. I will thanks Jeremy.

By the way, if you ever come across an article which explains why I should apply 'ip access-group out' to a SVI interface, please let me know. I can't remember why I should do 'ip access-group out' instead of 'in' when dealing with this SVI.

Here's a simple explanation.  The ACL is matching the destination port for http, telnet, and rdp.  So you can apply it many many places.  Here are the two most common:

1) Closest to the source (the default gateway/SVI for clients) in an inbound direction

2) Closest to the destination (the default gateway/SVI for servers) in an outbound direction

I prefer number 2.  I will leave the reason as an exercise for the reader.

Enjoy!

Review Cisco Networking for a $25 gift card