03-13-2024 05:31 AM
I enabled ip dns server on a 4351 router, and now I am seeing a broadcast from the mac-address from every interface to the destination of 255.255.255.255(53). I see this in all the ACLs on all the other routers in my test setup.
ip dns server
I am seeing this fill my logs on remote devices, and I am looking for a way to stop it or filter it out.
%FMANFP-6-IPACCESSLOGP: F0/0: fman_fp_image: list TUNNEL_ACL_IN denied udp d4ad.bdf0.fc7c 10.0.10.1(9707) Tunnel100-> 255.255.255.255(53), 1 packet
- Is there a way to bind the DNS server on the router to only one interface on a 4300 router?
- or is there a way to block the mac-address on every interface of the router from broadcasting to 255.255.255.255(53)?
I know this is just cosmetic, but it is filling my logs and its a bit annoying!
!
! Router-#1
!
Interface Tunnel 100
ip address 10.0.10.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group TUNNEL_ACL_IN in
ip access-group TUNNEL_ACL_OUT out
tunnel source loopback0
tunnel destination x.x.x.x
!
! Router-#2
!
Interface Tunnel 100
ip address 10.0.10.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group TUNNEL_ACL_IN in
ip access-group TUNNEL_ACL_OUT out
tunnel source loopback0
tunnel destination x.x.x.x
!
!
My ACL: Note: NETWORK_A and NETWORK_B shouldn't make a difference
ip access-list extended TUNNEL_ACL_IN
permit ip 10.0.10.0 255.255.255.252 10.0.10.0 255.255.255.252
permit ip object-group NETWORK_A object-group NETWORK_B
deny ip any any log-input
ip access-list extended TUNNEL_ACL_OUT
permit ip 10.0.10.0 255.255.255.252 10.0.10.0 255.255.255.252
permit ip object-group NETWORK_B object-group NETWORK_A
deny ip any any log-input
Solved! Go to Solution.
03-14-2024 09:27 AM
I've decided to just use logging discriminator to filter out the unwanted logs.
logging discriminator DROP_BC msg-body drops d4ad.bdf0.fc7c
logging buffered discriminator DROP_BC 500000 informational
loging console discriminator DROP_BC errors
logging monitor discriminator DROP_BC informational
03-13-2024 07:00 AM
Did you config DNS server IPin hosts via DHCP?
MHM
03-13-2024 07:07 AM
Hello MHM,
There is no DHCP service running on the router. Every device on the network is a STATC-IP.
I originally enable 'ip dns server' so I can run a Cisco ISE -that has dependencies for services to start correctly. The Cisco ISE is working fine.
I configured a few hosts for the Cisco ISE to work properly.
03-14-2024 09:27 AM
I've decided to just use logging discriminator to filter out the unwanted logs.
logging discriminator DROP_BC msg-body drops d4ad.bdf0.fc7c
logging buffered discriminator DROP_BC 500000 informational
loging console discriminator DROP_BC errors
logging monitor discriminator DROP_BC informational
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide