cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
0
Helpful
3
Replies

DNS Broadcast seen on all interfaces - logs denied on ACLs

Steve Adams
Level 1
Level 1

I enabled ip dns server on a 4351 router, and now I am seeing a broadcast from the mac-address from every interface to the destination of 255.255.255.255(53). I see this in all the ACLs on all the other routers in my test setup.

ip dns server

I am seeing this fill my logs on remote devices, and I am looking for a way to stop it or filter it out.
%FMANFP-6-IPACCESSLOGP: F0/0: fman_fp_image: list TUNNEL_ACL_IN denied udp d4ad.bdf0.fc7c 10.0.10.1(9707) Tunnel100-> 255.255.255.255(53), 1 packet
- Is there a way to bind the DNS server on the router to only one interface on a 4300 router?
- or is there a way to block the mac-address on every interface of the router from broadcasting to 255.255.255.255(53)?

I know this is just cosmetic, but it is filling my logs and its a bit annoying!

 

!
! Router-#1
!
Interface Tunnel 100
 ip address 10.0.10.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip access-group TUNNEL_ACL_IN in
 ip access-group TUNNEL_ACL_OUT out
 tunnel source loopback0
 tunnel destination x.x.x.x
!
! Router-#2
!
Interface Tunnel 100
ip address 10.0.10.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip access-group TUNNEL_ACL_IN in
 ip access-group TUNNEL_ACL_OUT out
 tunnel source loopback0
 tunnel destination x.x.x.x
!
!

My ACL:           Note: NETWORK_A and NETWORK_B   shouldn't make a difference

ip access-list extended TUNNEL_ACL_IN
 permit ip 10.0.10.0 255.255.255.252 10.0.10.0 255.255.255.252
 permit ip object-group NETWORK_A object-group NETWORK_B
deny ip any any log-input

ip access-list extended TUNNEL_ACL_OUT
 permit ip 10.0.10.0 255.255.255.252 10.0.10.0 255.255.255.252
 permit ip object-group NETWORK_B object-group NETWORK_A
deny ip any any log-input

1 Accepted Solution

Accepted Solutions

Steve Adams
Level 1
Level 1

I've decided to just use logging discriminator to filter out the unwanted logs.

logging discriminator DROP_BC msg-body drops d4ad.bdf0.fc7c
logging buffered discriminator DROP_BC 500000 informational
loging console discriminator DROP_BC errors
logging monitor discriminator DROP_BC informational

View solution in original post

3 Replies 3

Did you config DNS server IPin hosts via DHCP?

MHM

Hello MHM,

There is no DHCP service running on the router. Every device on the network is a STATC-IP.

I originally enable 'ip dns server' so I can run a Cisco ISE -that has dependencies for services to start correctly. The Cisco ISE is working fine.

I configured a few hosts for the Cisco ISE to work properly.

Steve Adams
Level 1
Level 1

I've decided to just use logging discriminator to filter out the unwanted logs.

logging discriminator DROP_BC msg-body drops d4ad.bdf0.fc7c
logging buffered discriminator DROP_BC 500000 informational
loging console discriminator DROP_BC errors
logging monitor discriminator DROP_BC informational

Review Cisco Networking for a $25 gift card