cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
1
Helpful
6
Replies

Cisco Logs

kevinfowler
Level 1
Level 1

Good morning,

Here is my situation and I can't figure it out.   I just installed a Nexus 9332 dual core devices and I am UNABLE to see the information in the logs concerning a permit statement I have on the ACL.   I put log at the end of the statement and it is incrementing but when I do a show logging | incl Permit I don't see any information.   I'm trying to update my ACL's and some traffic is unknown so I'm hoping to add the correct statements into the ACL versus permit tcp any any etc,  Any ideas/suggestions on why I am not seeing the information versus a deny statement logged I see everything I need.   I could go that route but I might break something and that would be bad.  

6 Replies 6

Hello,

If I remember correctly it may only show the first packet that matches to just show it in the logs at certain intervals (maybe 5 minutes). Even then it may just be a handful of packets. In reality I don't think you want there to be a log entry every time something hits. Imagine if you permitted a ping with a log statement and I pinged the device 100 times. That's 100 unnecessary logs.

Also some platform might just log it in terms of a counter and not actually send anything to the logs but I'd have to check that.

Denies are more "serious" and should be seen vs something you permit doesnt necessarily need a log since youre permitting it. In my example below I permitted ICMP and it recognized the first packet and 5 minutes later it caught up with ALL packets. I pinged 5 times, then 100 times and then 1000 times. It just bundled up the log into less statements.

 

R1#sh log | i permit
*May 24 16:32:55.532: %SEC-6-IPACCESSLOGDP: list test permitted icmp 2.2.2.2 -> 1.1.1.1 (0/0), 1 packet
*May 24 16:38:40.257: %SEC-6-IPACCESSLOGDP: list test permitted icmp 2.2.2.2 -> 1.1.1.1 (0/0), 1114 packets
R1#

 

Also make sure logging is turned on and it registers at least level 6.

-David

Perhaps if the OP would post the first couple of lines of output from the command show log it might shed some light on the issue?

HTH

Rick

I can’t post that due to it being on a classified network. I’m literally trying to build the ACL versus putting permit in any any and permit tcp any any at the bottom of the acl since it’s highly frowned upon in the government.

Kevin

Kevin

Having worked with multiple government networks I appreciate the need to be extremely careful about what you reveal. Here are a couple of suggestions which I hope might be helpful:

- do a simple show log (without specifying any selection criteria). Look at the output for any matches of what you are looking for. And using that insight specify different selection criteria.

- do a show log with | inc where you specify a couple of octets of your network address. Use that output to refine the parameters that you use for your search. Depending on where you are using the acl you may need to account for any changes in addressing due to NAT.

HTH

Rick

Hello,

 

I also do the same thing you're doing without getting into detail working for the Gov. Here's what I've done to help with that. Keep in mind its not a fast process and I usually have to do it for cleanup and new installs.

Talk with the other branches that you need to permit IPs from such as:
Severs: Scan servers, NTP, File, DHCP, monitoring tools, print, MGMT IPs for network admin logins, etc

Build that last first. 

You could then do something like packet captures and Netflow to see what other traffic is being send on the network.

Put out a notification to your organization (if feasible) and collaborate with other teams stating your intention to lock down the network and if people notice their services stop working then you can go in and modify. There are also usually STIGs to follow and you're right about the not permitting anything. 

As I said I don't think there is an "itemized" list you can see as stuff is coming in since youre devices are processing thousands if not hundreds of thousands of packets a second so even if it were to give you the permits one by one it would crash the device.

 

-David

The problem is I’ve walked into a situation that they don’t know all the ports allowed. So I have petit ok any any and permit tcp any any in order to try and figure out what’s traversing the network and then build the ACL which is why I need to see what’s being permitted.

Kevin
Review Cisco Networking for a $25 gift card