From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Nov 25 2003 - 14:17:59 GMT-3
Unfortunately no, logging a list inside a VACL is not supported:
SW1(config)#access-list 1 permit any log
SW1(config)#vlan access-map X 10
SW1(config-access-map)#match ip address 1
% Logging ACLs are not supported.
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Jonathan V Hays
> Sent: Tuesday, November 25, 2003 6:49 AM
> To: 'Michael Snyder'; ccielab@groupstudy.com
> Subject: RE: How I fixed the network I broke.
>
> Michael,
>
> I know that I personally am usually too embarrassed to report this sort
> of thing but your posts may help many others. Thanks for having the
> courage to share - it is appreciated.
>
> Usually when I run into this kind of situation (I assume you didn't have
> the luxury of putting a sniffer on the switch beforehand) I like to add
> an ACL with a few "permit any log" statements and watch the log for a
> while. However, I wonder if this is even possible with a VLAN map? Or
> maybe I should ask, was it a VLAN map? And out of curiosity, what kind
> of switch was it?
>
> Thanks,
>
>
> Jonathan
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Michael Snyder
> Sent: Sunday, November 23, 2003 10:42 PM
> To: ccielab@groupstudy.com
> Subject: How I fixed the network I broke.
>
>
> What I broke was DHCP.
>
>
> It seems when a client doesn't have ip address, it broadcasts to udp
> 255.255.255.255 from udp address 0.0.0.0 asking for a ip address.
>
> I had allowed all normal unicast traffic, but didn't think about dhcp.
>
>
> After a google search I added the following statement.
>
>
> Permit udp host 0.0.0.0 eq 68 host 255.255.255.255 eq 67
>
>
> The reason I thought of this for a Groupstudy posting, is couldn't you
> envision this on the lab?
>
> Have a good restrictive access list on interface, then much later in the
> lab; they say also add dhcp to that router. I know I would just think
> easy points and move on.
>
> Just a thought.
>
>
>
>
>
> ------------------------------------------------------------------------
> --------------
>
>
>
>
> I had a real world experience to share.
>
> Testing out ids, I found a lot of spoofed traffic on a clients network.
>
> I believe it was one of the newer worms out at the time. I had a tech
> tracking down the infected machines.
>
> I noticed that a lot of the traffic was neither sourced nor destined for
> the network I was on, and it wasn't on a transit network!
>
> So, I figure I can take care of that, and threw a vlan filter on the
> switch.
>
> Where a.b.c.d = clients network.
>
> Permit ip a.b.c.d 0.0.0.255 any
> Permit ip any a.b.c.d 0.0.0.255
>
> Get a call the next day. Network is broke.
>
> Can anyone guess what I broke?
>
> Continued on next email.
>
> Michael Snyder
> Lead Network Engineer
> CCDP, CCSP, MCSE NT/2000
> Revolution Computer Systems
> (270) 443-7400
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:17 GMT-3