Re: log and log-input

From: William Chen (kwchen@netvigator.com)
Date: Sun Mar 28 2004 - 22:00:53 GMT-3

• Next message: Sally Crawford: "Lab 2 Netmaster Redist question"
• Previous message: Ahmed Mustafa: "Dialer Idle-Timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

   How about the question asked ONLY to log the packets that come from a
particular Ethernet interface, with the MAC address of the sender. Should I
use log-input in the inbound interface?

Best Regards,
William Chen

----- Original Message -----
From: "Jonathan V Hays" <jhays@jtan.com>
To: "'MMoniz'" <ccie2002@tampabay.rr.com>; "'asadovnikov'"
<asadovnikov@comcast.net>; "'Tim Fletcher'" <groupstudy@fletchmail.net>;
"'seonghui'" <seonghui@vads.com>; <ccielab@groupstudy.com>
Sent: Sunday, August 31, 2003 2:14 AM
Subject: RE: log and log-input

> You are correct. Using the 'log-input' on an inbound ACL is useless.
> Useful information is generated only when applied outbound on an
> access-list.
>
> It's time to stop talking and start configuring. <g>
>
> Perhaps following the data below will help everyone who doesn't
> understand what the 'log-input' option is useful for.
>
> ASCII diagram follows:
>
> R4 (222.22.24.4)
> |
> S1/0
> R6-FA0/0----R7 (222.22.7.7)
> S3/1
> |
> R9 (222.22.6.9)
>
> R6#sh ip int brief
> Interface IP-Address OK? Method Status
> Protocol
> FastEthernet0/0 222.22.7.6 YES NVRAM up
> up
> Serial1/0 222.22.100.6 YES NVRAM up
> up
> Serial3/1 222.22.6.6 YES NVRAM up
> up
> R6#
>
> CASE 1: ACL inbound on S3/1
>
> interface Serial3/1
> ip address 222.22.6.6 255.255.255.128
> ip access-group 102 in
>
> Test condition 1: R4 pings R9 (echo travels inbound R6-S1/0 outbound
> R6-S3/1)
> 01:45:24: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.6.9
> (Serial3/1 ) -> 222.22.24.4 (0/0), 1 packet
> Test condition 2: R7 pings R9 (echo travels inbound R6-FA0/0 outbound
> R6-S3/1)
> 01:46:27: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.6.9
> (Serial3/1 ) -> 222.22.7.7 (0/0), 1 packet
> Test condition 3: R9 pings R4 (echo travels inbound R6-S3/1 outbound
> R6-S1/0)
> 01:51:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.6.9
> (Serial3/1 ) -> 222.22.24.4 (0/0), 332 packets
> Test condition 4: R9 pings R7 (echo travels inbound R6-S3/1 outbound
> R6-FA0/0)
> 01:52:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.6.9
> (Serial3/1 ) -> 222.22.7.7 (0/0), 338 packets
>
> Note that the above data ONLY logs packets inbound to Serial3/1, whether
> they be the echo or echo-reply. This is not the "correct" use of the
> 'log-input' option since it does not result in useful data. We have to
> manually find out where the packet is going after it has entered
> Serial3/1. Using 'log-input' gives us no further information than 'log',
> so we may as well stick with the 'log' option on an inbound access-list.
>
>
>
> CASE 2: ACL outbound on S3/1
>
> interface Serial3/1
> ip address 222.22.6.6 255.255.255.128
> ip access-group 102 out
>
> Test condition 1: R4 pings R9
> 01:09:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.24.4
> (Serial1/0 ) -> 222.22.6.9 (0/0), 35 packets
> Test condition 2: R7 pings R9
> 01:04:16: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.7.7
> (FastEthernet0/0 0007.855b.5be0) -> 222.22.6.9 (0/0), 1 packet
> Above 2 conditions only the echo packet is logged.
>
> Test condition 3: R9 pings R4
> 01:25:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.24.4
> (Serial1/0 ) -> 222.22.6.9 (0/0), 168 packets
> Test condition 4: R9 pings R7
> 01:20:04: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 222.22.7.7
> (FastEthernet0/0 0007.855b.5be0) -> 150.50.6.9 (0/0), 111 packets
> Above 2 conditions only the echo-reply packet is logged.
>
> In this case we have much more interesting and useful data. The
> log-input option gives the source interface for any traffic traveling
> outbound on S3/1 so we don't have to find out. We can see the path
> through the router for every IP packet that goes out Serial3/1. If you
> have a lot of interfaces on a router this can be pretty handy. Also,
> note that 0007.855b.5be0 is not our (R6) MAC address, but R7's MAC
> address which helps us track down the individual host on a VLAN or LAN.
>
> HTH,
>
> Jonathan
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> MMoniz
> Sent: Saturday, August 30, 2003 6:48 AM
> To: asadovnikov; 'Tim Fletcher'; 'MMoniz'; 'seonghui';
> ccielab@groupstudy.com
> Subject: RE: log and log-input
>
>
> Alexei, sorry for my confusion. What I meant by on only one interface is
> inbound, Say I have an Internet router and have an acl with log on the
> inbound of the internet connection. To me I see no difference between
> log
> and log-input in this scenario.
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Sally Crawford: "Lab 2 Netmaster Redist question"
• Previous message: Ahmed Mustafa: "Dialer Idle-Timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:49 GMT-3