Re: CAT4500 RACL not Logging until Clear ARP-Cache

bjoern.reese · ‎04-27-2011

Hello,

I have a problem with Logging from a Router ACL on a Catalyst 4500 WS-C4506-E (12.2(54)SG). I would like to have the ACL on a VLAN-Interface and log entries for denied packages from one VLAN to another out to a syslog-server. Unfortunately it only logs denied Multicast and packets sent directly to the router. Does anyone know why I can't see blocked packets from the subnet to another VLAN, even if the ACL works as expected in any other way?

This simple ACL for testing:

ip access-list extended test_in

permit icmp any any

deny ip any any log

Bound to:

interface Vlan99

ip address 172.22.99.3 255.255.255.0

ip access-group test_in out

does only log to syslog if try to access the 172.22.99.3 directly or if multicast packets arrive there.

%SEC-6-IPACCESSLOGP: list test_in denied udp 172.22.99.10(1314) -> 224.0.1.22(427), 1 packet

The ACL itself works well.

I had this up (with VLAN ACL) on an old 6500 with CATOS, and it allways logged anything I wanted to.

Has anyone got a clue why this does not work the way I expect it to, or has anyone got a method to debug an access-list without proper logging?

Thanks in advance

Björn

Yogesh Ramdoss · ‎04-30-2011

Bjorn,

As I understand, the 4500 switch is not logging the %SEC-6-IPACCESSLOGP message to the buffer/console/terminal. Correct me, if I am wrong.

As you notice, the message logging level is 6 (informational).

Please make sure the buffer / terminal / console logging leval is atleast set to 6, or above in your switch.

4500-4#sh logging

    Console logging: level debugging <<==
    Monitor logging: level debugging <<==
    Buffer logging: level debugging <<==

Also, please be aware that Cat 4500 rate-limits the ACL logging messages ... report once in every 5 minutes.

*Apr 30 01:11:27 GMT: %SEC-6-IPACCESSLOGRP: list 150 denied TEST_ACL 10.10.0.20 -> 172.16.10.20, 4592 packets
*Apr 30 01:16:27 GMT: %SEC-6-IPACCESSLOGRP: list 150 denied TEST_ACL 10.10.0.20 -> 172.16.10.20, 4495 packets
*Apr 30 01:21:27 GMT: %SEC-6-IPACCESSLOGRP: list 150 denied TEST_ACL 10.10.0.20 -> 172.16.10.20, 4478 packets

Hope this helps.

Regards,

Yogesh

bjoern.reese · ‎05-02-2011

Dear Yogesh,

thanks very much for the reply. The level was set to debugging as a trap to syslog-server here.

    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled, xml disabled,
                     filtering disabled
    Exception Logging: size (8192 bytes)
    Count and timestamp logging messages: enabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 195945 message lines logged
        Logging to 172.20.1.233 (udp port 514, audit disabled,
              authentication disabled, encryption disabled, link up),
              162773 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

For an instant debugging, I wanted to see the blocked packets in realtime for a single (test)access-list, so I disabled the rate-limiting, and set

ip access-list logging interval 1

no logging rate-limit

If I use a router acl, I can only see packets hitting the direct ip address of the vlan-interface or some multicast packets, but not those being routed from or to another vlan.If I send packets from host1 in vlan99 to host2 in vlan100, I don't get any message about this one being denied, but the packets are blocked.

So what would be the correct way, to see any denied packet by a Router-ACL bound to a vlan interface?

I tried to set this up with a VLAN-ACL, and this seems to tell me more when I enable the logging option, but even this seems not to log not any packet that is denied.

Maybe the 4500 is not able to tell me more here by design?

Yogesh Ramdoss · ‎05-02-2011

Bjorn,

A while ago, I came across similar scenario with named ACL. If you get a chance, try the same thing with a numbered ACL, and let us know the results.

Regards,

Yogesh

bjoern.reese · ‎05-04-2011

thanks but..no success here either. I tried a Standard Numbered ACL like

access-list 99 deny 172.22.99.0 0.0.0.255 log , bound to Interface VLAN99 out.

-> No log entries at all, if I try to ping or telnet...

...an extended numbered ACL like:

access-list 199 deny icmp any any log
access-list 199 permit ip any any

bound to interface vlan99 out

-> same results

BUT:

I didn't even get an Packet filtered back, when trying to ping something in the VLAN.

What did help here was:

# clear arp-cache

And suddenly all went well, I got the ICMP-Message (packet filtered) back, and the entry was logged into the syslog-server.

I have no idea what the reason for this could be, but this seems to have some reason in the configuration of the switches here:

There are two switches with one BVI on each for every VLAN and an HSRP-Address configured.

Maybe someone knows the reason for this?

bjoern.reese · ‎05-06-2011

to be more precise here:

The switch seems to log only packets for hosts which don't appear in the arp cache.

If I try to reach a machine say 172.22.99.99 by Ping and have an outbound access-list denying this with logging on:

10 deny icmp any any log
20 permit ip any any

No log message, no icmp-reply

If I see the arp-cache with:

#show arp

Internet 172.22.99.99 0 001c.231f.46b4 ARPA Vlan99

and issue a

#clear arp-cache

The system begins to log and I get an

icmp_seq=240 Packet filtered as a reply

If I ping a nonexistant IP, it allways gets logged and responded propery.

maybe someone knows what this could mean?