From: Jonathan V Hays (jhays@jtan.com)
Date: Sat Aug 30 2003 - 15:14:22 GMT-3
You are correct. Using the 'log-input' on an inbound ACL is useless.
Useful information is generated only when applied outbound on an
access-list.
It's time to stop talking and start configuring. <g>
Perhaps following the data below will help everyone who doesn't
understand what the 'log-input' option is useful for.
ASCII diagram follows:
R4 (222.22.24.4)
|
S1/0
R6-FA0/0----R7 (222.22.7.7)
S3/1
|
R9 (222.22.6.9)
R6#sh ip int brief
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 222.22.7.6 YES NVRAM up
up
Serial1/0 222.22.100.6 YES NVRAM up
up
Serial3/1 222.22.6.6 YES NVRAM up
up
R6#
CASE 1: ACL inbound on S3/1
interface Serial3/1
ip address 222.22.6.6 255.255.255.128
ip access-group 102 in
Test condition 1: R4 pings R9 (echo travels inbound R6-S1/0 outbound
R6-S3/1)
01:45:24: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.6.9
(Serial3/1 ) -> 222.22.24.4 (0/0), 1 packet
Test condition 2: R7 pings R9 (echo travels inbound R6-FA0/0 outbound
R6-S3/1)
01:46:27: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.6.9
(Serial3/1 ) -> 222.22.7.7 (0/0), 1 packet
Test condition 3: R9 pings R4 (echo travels inbound R6-S3/1 outbound
R6-S1/0)
01:51:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.6.9
(Serial3/1 ) -> 222.22.24.4 (0/0), 332 packets
Test condition 4: R9 pings R7 (echo travels inbound R6-S3/1 outbound
R6-FA0/0)
01:52:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.6.9
(Serial3/1 ) -> 222.22.7.7 (0/0), 338 packets
Note that the above data ONLY logs packets inbound to Serial3/1, whether
they be the echo or echo-reply. This is not the "correct" use of the
'log-input' option since it does not result in useful data. We have to
manually find out where the packet is going after it has entered
Serial3/1. Using 'log-input' gives us no further information than 'log',
so we may as well stick with the 'log' option on an inbound access-list.
CASE 2: ACL outbound on S3/1
interface Serial3/1
ip address 222.22.6.6 255.255.255.128
ip access-group 102 out
Test condition 1: R4 pings R9
01:09:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.24.4
(Serial1/0 ) -> 222.22.6.9 (0/0), 35 packets
Test condition 2: R7 pings R9
01:04:16: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.7.7
(FastEthernet0/0 0007.855b.5be0) -> 222.22.6.9 (0/0), 1 packet
Above 2 conditions only the echo packet is logged.
Test condition 3: R9 pings R4
01:25:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.24.4
(Serial1/0 ) -> 222.22.6.9 (0/0), 168 packets
Test condition 4: R9 pings R7
01:20:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.7.7
(FastEthernet0/0 0007.855b.5be0) -> 150.50.6.9 (0/0), 111 packets
Above 2 conditions only the echo-reply packet is logged.
In this case we have much more interesting and useful data. The
log-input option gives the source interface for any traffic traveling
outbound on S3/1 so we don't have to find out. We can see the path
through the router for every IP packet that goes out Serial3/1. If you
have a lot of interfaces on a router this can be pretty handy. Also,
note that 0007.855b.5be0 is not our (R6) MAC address, but R7's MAC
address which helps us track down the individual host on a VLAN or LAN.
HTH,
Jonathan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
MMoniz
Sent: Saturday, August 30, 2003 6:48 AM
To: asadovnikov; 'Tim Fletcher'; 'MMoniz'; 'seonghui';
ccielab@groupstudy.com
Subject: RE: log and log-input
Alexei, sorry for my confusion. What I meant by on only one interface is
inbound, Say I have an Internet router and have an acl with log on the
inbound of the internet connection. To me I see no difference between
log
and log-input in this scenario.
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:11 GMT-3