09-06-2013 06:20 AM - edited 02-20-2020 09:43 PM
Hi, I maybe over thinking this but I have an ACL that is applied inbound on an interface vlan. I have a line to permit udp any any log which is temporary. I see hits but the source ip is off network to destination interface vlan ip address. I expect to see source ip addresses only in the 192.168.1.128/25 ip range. What do you think? Thanks
Interface vlan 100
ip address 192.168.1.132 255.255.255.128
ip access-group ACL_IN in
ACL Hit
%SEC-SW1-6-IPACCESSLOGP: list ACL_IN permitted udp 192.168.6.100(137) -> 192.168.1.132 (137), 1 packet
Solved! Go to Solution.
11-08-2013 02:10 AM
Hi
That looks to me like WINS browsing, a reply packet.
And as the MS browsing works at Layer 2, it is sending a response to the router IP where it sees the browse request coming from - maybe your clients have a WINS server address configured ?
Remember
permit udp any any log
is going to match ANY src ip, not just your local subnet so that is why your log entries show the traffic in both directions.
Rgds
Ian
09-06-2013 06:35 AM
Hi,
Is the ACL attached to any other port/interface on the device?
- Jouni
09-06-2013 06:40 AM
Hi,
At this time no.
09-06-2013 06:56 AM
Hi,
It does seem strange, though I have to admit that I rarely nowadays configure ACLs in any other devices than actual firewalls and there the behaviour and logging is a bit different.
Cisco firewalls have a decent documentation about all the different log messages and their description but I am not sure about the switch/router side. Can't seem to find those.
What also seems strange is the port seen in the log messages and why would it be targeted to the actual Vlan interface IP address.
The ACL you have should only really control the traffic that is coming inbound towards the Vlan interface.
- Jouni
09-06-2013 06:59 AM
Yes, I agree it does seem strange, thanks for your response.
11-08-2013 02:10 AM
Hi
That looks to me like WINS browsing, a reply packet.
And as the MS browsing works at Layer 2, it is sending a response to the router IP where it sees the browse request coming from - maybe your clients have a WINS server address configured ?
Remember
permit udp any any log
is going to match ANY src ip, not just your local subnet so that is why your log entries show the traffic in both directions.
Rgds
Ian
11-08-2013 04:25 AM
Your correct, I removed the helper addresses configured on the vlan interface and I no longer see the log messages. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide