Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2049
Views
0
Helpful
6
Replies

Interface VLAN inbound ACL?

Go to solution
adibenedetto18
Level 1
Level 1

‎09-06-2013 06:20 AM - edited ‎02-20-2020 09:43 PM

Hi, I maybe over thinking this but I have an ACL that is applied inbound on an interface vlan. I have a line to permit udp any any log which is temporary. I see hits but the source ip is off network to destination interface vlan ip address. I expect to see source ip addresses only in the 192.168.1.128/25 ip range. What do you think? Thanks

Interface vlan 100

ip address 192.168.1.132 255.255.255.128

ip access-group ACL_IN in

ACL Hit

%SEC-SW1-6-IPACCESSLOGP: list ACL_IN permitted udp 192.168.6.100(137) -> 192.168.1.132 (137), 1 packet

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
iswift
Level 1
Level 1

‎11-08-2013 02:10 AM

Hi

That looks to me like WINS browsing, a reply packet.

And as the MS browsing works at Layer 2, it is sending a response to the router IP where it sees the browse request coming from - maybe your clients have a WINS server address configured ?

Remember
permit udp any any log

is going to match ANY src ip, not just your local subnet so that is why  your log entries show the traffic in both directions.

Rgds

Ian

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-06-2013 06:35 AM

Hi,

Is the ACL attached to any other port/interface on the device?

- Jouni

0 Helpful

Go to solution
adibenedetto18
Level 1
Level 1
In response to Jouni Forss

‎09-06-2013 06:40 AM

Hi,

At this time no.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to adibenedetto18

‎09-06-2013 06:56 AM

Hi,

It does seem strange, though I have to admit that I rarely nowadays configure ACLs in any other devices than actual firewalls and there the behaviour and logging is a bit different.

Cisco firewalls have a decent documentation about all the different log messages and their description but I am not sure about the switch/router side. Can't seem to find those.

What also seems strange is the port seen in the log messages and why would it be targeted to the actual Vlan interface IP address.

The ACL you have should only really control the traffic that is coming inbound towards the Vlan interface.

- Jouni

0 Helpful

Go to solution
adibenedetto18
Level 1
Level 1
In response to Jouni Forss

‎09-06-2013 06:59 AM

Yes, I agree it does seem strange, thanks for your response.

0 Helpful

Go to solution
iswift
Level 1
Level 1

‎11-08-2013 02:10 AM

Hi

That looks to me like WINS browsing, a reply packet.

And as the MS browsing works at Layer 2, it is sending a response to the router IP where it sees the browse request coming from - maybe your clients have a WINS server address configured ?

Remember
permit udp any any log

is going to match ANY src ip, not just your local subnet so that is why  your log entries show the traffic in both directions.

Rgds

Ian

0 Helpful

Go to solution
adibenedetto18
Level 1
Level 1
In response to iswift

‎11-08-2013 04:25 AM

Your correct, I removed the helper addresses configured on the vlan interface and I no longer see the log messages. Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents