From: Jens Petter Eikeland (jenseike@start.no)
Date: Thu Feb 23 2006 - 02:52:24 GMT-3
i am getting this logs (with 0.0.0.0) quite oftent, and also on other
access-lists and, yes they are acumulating... since this is a standar acl,
should it not really be ===>SEC-6-IPACCESSLOGS - Standard access-list entry
without any protcol??? and not SEC-6-IPACCESSLOGNP - IP and any other
remaining protocols???.. therfor, this did not tell me that much really...
jens
----- Original Message -----
From: "Mark Lasarko" <mlasarko@co.ba.md.us>
To: <ccielab@groupstudy.com>; <ccie2be@nyc.rr.com>; <jenseike@start.no>
Sent: Wednesday, February 22, 2006 7:13 PM
Subject: Re: FW: show logg
>I conspicuously agree with the "strangeness" :-)
> How often do you get hits on the ACL? / Are they accumulating?
> Is there a possible timing clue to be found here?
>
> "IPACCESSLOGNP" = IP / other protocols (not TCP, UDP, or ICMP)
> I break out Ethereal/Sniffer with an appropriate filter to know for sure.
>
> ~M
>
>
>
>>>> "Jens Petter Eikeland" <jenseike@start.no> 02/22/06 12:49 PM >>>
>
> not sure if i mentioned this, but there is not any statement with where i
> permit or deny from or to any in this acl... that was my initial thought
> also, but i have reconsidered since there are no any statement... that is
> why i thought this was so strange
> ----- Original Message -----
> From: "Mark Lasarko" <mlasarko@co.ba.md.us>
> To: <ccielab@groupstudy.com>; <ccie2be@nyc.rr.com>
> Sent: Thursday, February 16, 2006 4:43 AM
> Subject: RE: FW: show logg
>
>
>> How did I find that out?
>> ...I just asked the question :-)
>> I picked up the phone and called TAC.
>> Figured it could not hurt and I was curious!
>> Especially after seeing what Ian referred too.
>> (About a dozen times, posted again and again)
>> One of the most vague decriptions of all time?
>>
>> BTW - I am guessing "any" as listed in my earlier reply,
>> but the part that interested me more was
>> the "0" in front of "0.0.0.0"
>> Anyone?
>> JP??
>> ~M
>>
>>
>>>>> "Tim" <ccie2be@nyc.rr.com> 02/15/06 6:28 PM >>>
>> Mark,
>>
>> That's great stuff to know but having read Ian Strong's post, how did you
>> find that out?
>>
>> Tim
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Mark
>> Lasarko
>> Sent: Wednesday, February 15, 2006 12:19 PM
>> To: ccielab@groupstudy.com
>> Subject: RE: FW: show logg
>>
>> FYI: (Answering my own question, if anyone was curious?)
>>
>> SEC-6-IPACCESSLOGP - TCP and UDP
>> SEC-6-IPACCESSLOGNP - IP and any other remaining protocols
>> SEC-6-IPACCESSLOGDP - ICMP
>> SEC-6-IPACCESSLOGS - Standard access-list entry without any protcol
>> SEC-6-IPACCESSLOGRP - GRE, IGMP, OSPF, IGRP, NOSIP, NEWIGRP, IPINIP, PIM
>>
>> JP - Can you share any other details?
>> Perhaps a 'sh ip access-list' or additional 'sh log' from ACL91?
>> The "NP" indicates "IP and any other remaining protocols";
>> Non-specific - access-list 91 permit any log?
>> Curious now!
>> ~M
>>
>>
>>
>> That and...
>> If anybody can elaborate on the mnemonic(s):
>>
>> IPACCESSLOGDP
>> vs
>> IPACCESSLOGNP
>> vs
>> IPACCESSLOGP
>> vs
>> IPACCESSLOGRP
>> vs
>> IPACCESSLOGS
>>
>> I am a bit curious about that part myself.
>> (Aside from "A packet matching the log criteria for the given access list
>> has
>> been detected")
>>
>> ~M
>>
>>>>> "Jens Petter Eikeland" <jenseike@start.no> 02/15/06 9:53 AM >>>
>>
>> Yes, I know that it is matching a specific access-list, that was really
>> cleare... what I was wandering is the "0.0.0.0" output in the line.. what
>> Does that mean.. I just wanted to make sure this is nothing I need to be
>> Aware of
>>
>> jp
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Venkatesh Palani
>> Sent: 15. februar 2006 15:35
>> To: Jens Petter Eikeland
>> Cc: ccielab@groupstudy.com
>> Subject: Re: FW: show logg
>>
>> *from O/p Interpretor*
>> **
>> *ERROR MESSAGE NOTIFICATIONS (if any)*
>>
>> *%SEC-6-IPACCESSLOGNP (x1)*: list [chars] [chars] [dec] [IP_address]
>> [chars]->
>> [IP_address], [dec] packet[chars]
>>
>> *Explanation:* A packet matching the log criteria for the given access
>> list
>> has
>> been detected.
>>
>> *Recommended Action:* No action is required.
>>
>> HTH,
>> Venkatesh
>>
>>
>>
>>
>> On 2/16/06, Jens Petter Eikeland <jenseike@start.no> wrote:
>>>
>>> What does this log output mean ?
>>>
>>> 40w5d: %SEC-6-IPACCESSLOGNP: list 91 permitted 0 0.0.0.0 -> 150.100.1.1,
>>> 250
>>> packets
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Mar 01 2006 - 11:28:18 GMT-3