05-25-2021 11:35 AM - edited 05-25-2021 11:36 AM
Hi,
After having set Management ACL rules on my switch, I enabled the DNS resolution to properly poll sntp servers
However, I noticed theses warnings, received on a regular interval:
Warning %MNGINF-W-ACL: Management ACL drop packet received on interface Vlan 950 port gi9 from 23.205.178.37 to 192.168.1.2 protocol 6 service Http Warning %MNGINF-W-ACL: Management ACL drop packet received on interface Vlan 950 port gi9 from 104.109.67.132 to 192.168.1.2 protocol 6 service Http
First I though I had a host breaking through my firewall. However, I think it is just the return traffic after some requests sent from the SG350 without I am aware of.
The requests are received even if all the time servers are disabled. They stop if I disable/remove the DNS server, probably making the switch not capable of resolving domain names to establish these connections
Both the IP sources are from "akamai.com"
The interface on which the request is received is teh SG350 VLAN dedicated only to internet traffic (Next Hop Router through a Transit route) without any hosts on that VLAN
What are those services that the switch is making calls to akamain with return traffic on the TCP port 80 of teh switch ?
05-25-2021 11:14 PM
what is this IP address ?
92.168.1.2
05-26-2021 02:59 AM
It is
192.168.1.2
As I wrote, that IP is the SG350 switch VLAN interface dedicated only to internet traffic (Next Hop Router through a Transit route) without any hosts on that VLAN. If I ping a www address, the request from any VLAN will be routed to 192.168.1.2 on the switch and then to the firewall
I thought the Switch was sending some requests to an akamai.com domain from that interface and I am seeing a return traffic. Else, the firewall would have blocked it !
05-26-2021 04:52 AM
Can you post running config to confirm what is wrong.
also please confirm if this is only you Ping destination you getting this reply back ? what IP address you pinging ? or any domain ?
05-26-2021 09:19 AM - edited 05-27-2021 07:06 AM
@balaji.bandi
In my further tests, It happens as soon as I add a DNS server ip (I set it to my local DNS server 172.16.10.1). No ping or any action was done except enabling the DNS server
I tried it again right now. Immeadiately after enabling the DNS server, I get this return traffic:
Warning %MNGINF-W-ACL: Management ACL drop packet received on interface Vlan 950 port gi9 from 23.205.178.37 to 192.168.1.2 protocol 6 service Http
I tried to disable Bonjour service, no change
Here's the running config, with the DNS server disabled now. It was enabled with IP 172.16.10.1
config-file-header
SG350-10P
v2.5.7.85 / RCBS3.1_930_871_059
CLI v1.0
file SSD indicator excluded
@
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 10,20,30-31,40,50,100,950,777
exit
voice vlan state auto-triggered
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
green-ethernet energy-detect
green-ethernet short-reach
no boot host auto-config
no boot host auto-update
no bonjour enable
bonjour interface range vlan 1
hostname SG350-10P
management access-list ManageFrom_AnyGE1
permit GigabitEthernet1
deny
exit
management access-class ManageFrom_AnyGE1
passwords complexity min-length 12
passwords aging 0
username admin password encrypted xxxxx privilege 15
ip ssh server
ip ssh pubkey-auth auto-login
crypto key pubkey-chain ssh
user-key admin rsa
key-string row xxxxx
exit
exit
ip https certificate 2
clock timezone J +1
clock summer-time web recurring eu
sntp server 172.16.10.1 poll
no sntp server pool.ntp.org
no sntp server time-a.timefreq.bldrdoc.gov
no sntp server time-b.timefreq.bldrdoc.gov
no sntp server time-c.timefreq.bldrdoc.gov
no sntp server time-pnp.cisco.com
clock dhcp timezone
sntp source-interface vlan 10
no ip domain lookup
no service cpu-utilization
!
interface vlan 1
no ip address dhcp
shutdown
!
interface vlan 10
name "VLAN 10"
ip address 172.16.10.2 255.255.255.0
!
interface vlan 20
name "VLAN 20"
ip address 172.16.20.2 255.255.255.0
!
interface vlan 30
name "VLAN 30"
ip address 172.16.30.2 255.255.255.0
!
interface vlan 31
name "VLAN 31"
ip address 172.16.31.2 255.255.255.0
!
interface vlan 40
name "VLAN 40"
ip address 172.16.40.2 255.255.255.0
!
interface vlan 50
name "VLAN 50"
ip address 172.16.50.2 255.255.255.0
!
interface vlan 100
name "VLAN 100 (Internet Only)"
ip address 172.16.100.2 255.255.255.0
!
interface vlan 950
name "VLAN 950 (Transit)"
ip address 192.168.1.2 255.255.255.252
!
interface vlan 777
name "VLAN 777 Native"
ip address 172.16.0.2 255.255.255.0
!
interface GigabitEthernet1
switchport access vlan 777
green-ethernet energy-detect
!
interface GigabitEthernet2
switchport access vlan 50
switchport general pvid 50
switchport trunk native vlan 50
green-ethernet energy-detect
!
interface GigabitEthernet3
switchport access vlan 50
switchport general pvid 50
switchport trunk native vlan 50
green-ethernet energy-detect
!
interface GigabitEthernet4
switchport mode trunk
switchport access vlan 30
switchport general pvid 30
switchport trunk native vlan none
switchport trunk allowed vlan 20,30-31,40,50,100,777
green-ethernet energy-detect
!
interface GigabitEthernet5
switchport access vlan 20
switchport general pvid 20
switchport trunk native vlan 20
green-ethernet energy-detect
!
interface GigabitEthernet6
switchport access vlan 40
switchport general pvid 40
switchport trunk native vlan 40
green-ethernet energy-detect
!
interface GigabitEthernet7
switchport mode trunk
switchport access vlan 777
switchport general pvid 777
switchport trunk native vlan none
switchport trunk allowed vlan 10,50,777
green-ethernet energy-detect
!
interface GigabitEthernet8
ip dhcp snooping trust
switchport mode trunk
switchport trunk native vlan none
switchport trunk allowed vlan 10,20,30-31,40,50,100
green-ethernet energy-detect
!
interface GigabitEthernet9
switchport access vlan 950
switchport general pvid 950
switchport trunk native vlan 950
green-ethernet energy-detect
!
interface GigabitEthernet10
ip dhcp snooping trust
switchport access vlan 777
switchport general pvid 777
switchport trunk native vlan 777
green-ethernet energy-detect
!
interface Port-Channel3
switchport access vlan 10
!
exit
ip dhcp snooping
ip dhcp snooping vlan 10
ip dhcp snooping vlan 20
ip dhcp snooping vlan 30
ip dhcp snooping vlan 31
ip dhcp snooping vlan 40
ip dhcp snooping vlan 50
ip dhcp snooping vlan 100
ip dhcp snooping vlan 777
ip default-gateway 192.168.1.1
Thank you for your help
05-27-2021 07:10 AM
I edited the running config with my new setup, no ACLs
Still it is the running config without the DNS server causing the offending incoming requests on transit interface of the switch
By the way, it is an isolated lab setup, no hosts running except some isolated VM for debugging purposes before moving to a real environement.
Hope you can provide a feedback on what kind of calls are implemented in the Cisco Switches with this akamai.com traffic
05-27-2021 07:42 AM
To be honestly its dark for me as never seen before. worth raise SMB tac case to investigate for you.
05-27-2021 07:50 AM
Thank you
How can I do this "raise SMB tac case" ?
Really getting surprised as I do not understand what service in the switch would trigger this kind of requests
05-27-2021 10:32 AM
05-28-2021 03:12 AM
What a pain
Only phone support, I guess some uncompetent persone will answer without understanding the issue (tired of these free non tech support centers)
No way to open an online case without buying an additional contract, despite my system is under warranty
Guess I will just cut internet access to the switch interfaces to avoid any built in scum home call software
05-28-2021 04:03 AM
I agree some time it happends., wait for some moderate to address your issue, or you can make ACL in the switch or put the switch behind FW until some addressed here.
05-28-2021 04:21 AM - edited 05-28-2021 04:25 AM
Hello Filomena,
When did you buy the switch? Support is free for products under service contract or warranty. Please use one of the phone numbers and open up a ticket with the STAC so one of the available engineers will further help you in solving this issue.
https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Martin
05-28-2021 05:36 AM
Switch is still under warranty
I enabled again the DNS server on the switch and ticked the firewall to check the outgoing traffic:
Denied outgoing from 192.68.1.2:49153 --> 23.205.178.37:80
There are no devices on that interface since it is only a transit route
Some service on the switch is sending these TCP requests to akamai.com !!
49153 port is some media / UnPnP port to advertise the device. There is clearly something wrong fishy in the firmware advertising the switch online !
I will try the free toll service
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide