01-30-2013 06:34 AM - edited 03-07-2019 11:24 AM
I'm going through the steps on setting up an iACL on our internet router. The first thing I'm doing is a discovery ACL. I read that the ACL should classify most of the traffic and the ip any any should have a small number of matches.
I've done a packet capture and identified most of the traffic in the ACL but the ip any any still by far has the most matches. Any idea why the ip any any has the most matches still? What traffic would I be missing?
10 permit tcp any any eq 22 log (32 matches)
30 permit tcp any any eq www log (36927 matches)
40 permit tcp any any eq telnet log (26 matches)
50 permit icmp any any log (1516 matches)
60 permit tcp any any eq pop3 log
70 permit tcp any any eq ftp log (9 matches)
80 permit tcp any any eq smtp log (8898 matches)
90 permit tcp any any eq 443 log (15870 matches)
100 permit tcp any any eq 554 log (1 match)
110 permit tcp any any eq domain log (23 matches)
120 permit udp any any eq domain log (5158 matches)
130 permit udp any any range 1024 65535 log (178447 matches)
140 permit esp any any log (45028 matches)
150 permit gre any any log
160 permit pcp any any log
170 permit ip any any log (976176 matches)
01-30-2013 06:57 AM
Hi
this could be stuff like udp 160-161 udp ports 137-139, stuff like that.
01-30-2013 07:41 AM
It looks like its tcp traffic. Is there any way to see the logs of an ACL so I can see what exactly its logging?
01-31-2013 04:25 AM
I d remove the ip any any rule then and add:
170 permit tcp any any log
180 permit udp any any log
for a while and check the logging to get an idea what traffic it is.
You could issue the show logging (often) to check what traffic it is or send it all to a syslog server.
Btw, Remove all other logging in this acl except for 170 and 180.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide