iACL on internet router

Matt Roberts · ‎01-30-2013

I'm going through the steps on setting up an iACL on our internet router. The first thing I'm doing is a discovery ACL. I read that the ACL should classify most of the traffic and the ip any any should have a small number of matches.

I've done a packet capture and identified most of the traffic in the ACL but the ip any any still by far has the most matches. Any idea why the ip any any has the most matches still? What traffic would I be missing?

10 permit tcp any any eq 22 log (32 matches)

30 permit tcp any any eq www log (36927 matches)

40 permit tcp any any eq telnet log (26 matches)

50 permit icmp any any log (1516 matches)

60 permit tcp any any eq pop3 log

70 permit tcp any any eq ftp log (9 matches)

80 permit tcp any any eq smtp log (8898 matches)

90 permit tcp any any eq 443 log (15870 matches)

100 permit tcp any any eq 554 log (1 match)

110 permit tcp any any eq domain log (23 matches)

120 permit udp any any eq domain log (5158 matches)

130 permit udp any any range 1024 65535 log (178447 matches)

140 permit esp any any log (45028 matches)

150 permit gre any any log

160 permit pcp any any log

170 permit ip any any log (976176 matches)

Ton V Engelen · ‎01-30-2013

Hi

this could be stuff like udp 160-161 udp ports 137-139, stuff like that.

Matt Roberts · ‎01-30-2013

It looks like its tcp traffic. Is there any way to see the logs of an ACL so I can see what exactly its logging?

Ton V Engelen · ‎01-31-2013

I d remove the ip any any rule then and add:

170 permit tcp any any log

180 permit udp any any log

for a while and check the logging to get an idea what traffic it is.

You could issue the show logging (often) to check what traffic it is or send it all to a syslog server.

Btw, Remove all other logging in this acl except for 170 and 180.