cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1975
Views
0
Helpful
6
Replies

Interface VLAN inbound ACL?

adibenedetto18
Beginner
Beginner

Hi, I maybe over thinking this but I have an ACL that is applied inbound on an interface vlan. I have a line to permit udp any any log which is temporary. I see hits but the source ip is off network to destination interface vlan ip address. I expect to see source ip addresses only in the 192.168.1.128/25 ip range. What do you think? Thanks

Interface vlan 100

ip address 192.168.1.132 255.255.255.128

ip access-group ACL_IN in

ACL Hit

%SEC-SW1-6-IPACCESSLOGP: list ACL_IN permitted udp 192.168.6.100(137) -> 192.168.1.132 (137), 1 packet

1 Accepted Solution

Accepted Solutions

iswift
Beginner
Beginner

Hi

That looks to me like WINS browsing, a reply packet.

And as the MS browsing works at Layer 2, it is sending a response to the router IP where it sees the browse request coming from - maybe your clients have a WINS server address configured ?

Remember
permit udp any any log

is going to match ANY src ip, not just your local subnet so that is why  your log entries show the traffic in both directions.

Rgds

Ian

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Is the ACL attached to any other port/interface on the device?

- Jouni

Hi,

At this time no.

Hi,

It does seem strange, though I have to admit that I rarely nowadays configure ACLs in any other devices than actual firewalls and there the behaviour and logging is a bit different.

Cisco firewalls have a decent documentation about all the different log messages and their description but I am not sure about the switch/router side. Can't seem to find those.

What also seems strange is the port seen in the log messages and why would it be targeted to the actual Vlan interface IP address.

The ACL you have should only really control the traffic that is coming inbound towards the Vlan interface.

- Jouni

Yes, I agree it does seem strange, thanks for your response.

iswift
Beginner
Beginner

Hi

That looks to me like WINS browsing, a reply packet.

And as the MS browsing works at Layer 2, it is sending a response to the router IP where it sees the browse request coming from - maybe your clients have a WINS server address configured ?

Remember
permit udp any any log

is going to match ANY src ip, not just your local subnet so that is why  your log entries show the traffic in both directions.

Rgds

Ian

Your correct, I removed the helper addresses configured on the vlan interface and I no longer see the log messages. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: