06-25-2008 07:42 PM - edited 03-05-2019 11:49 PM
Need to check with your guys.
Recently, i applied one ACL statement to prevent 1 servers establish RDC(3389) to another server within same vlan.
It works pretty well. When i tried on 2 switches with diferrent IOS version:
1. Core Switch (s72033_rp Software (s72033_rp-IPSERVICES_WAN-M)Version 12.2(18)SXF7;
2. Access Switch Catalyst 4500 L3 Switch Software Version 12.2(31)SGA),
The problem occured when i added the keyword "log" behind the statement on Core Switch . It somehow let the RDC established the connection. If i removed the keyword "log", it will follow the ACL statement.
Below is the configuration for each switches:
Core Switch:
#
ip access-list extended testing
deny tcp host 10.30.100.33 host 10.30.100.36 eq 3389 log
permit ip any any
int gig7/8
ip access-group testing in
#
Access Switch:
#
ip access-list extended testing
deny tcp host 10.10.101.23 host 10.10.101.28 eq 3389 log
permit ip any any
int gig4/42
ip access-group testing in
#
I can found the log as below:
003267: Jun 26 11:25:07 SGT: %SEC-6-IPACCESSLOGP: list testing denied tcp 10.10.101.23(2196) -> 10.10.101.28(3389), 1 packet
Could somebody help to explain it? Is it a bug?
Thanks.
06-25-2008 11:01 PM
As the ACL Log option is just logging of matched packets with any of the rules in ACL, I don't think any problem with your configuration.
There should be two possibilities...
1. You might have multiple paths to reach the server & establishing connectivity successfully in another path.
2. Bug suspected by you
Did you see any log entry in the core switch exactly at the same time when you tried to reach server successfully with ACL Log option? You can try with conditional debug with "debug ip packet list
Regards...
-Ashok.
06-25-2008 11:56 PM
Hi Ashok,
This is quite weird. As log as i removed the keyword "log" from my ACL statement. I am able to RDC.
It never show any log entry in core switch. Strange!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide