Re: ACL Logging UDP Port 0 from Muzammil Malick on 2011-06-05 (Ccielab archives 06/2011)

From: Muzammil Malick <malickmuz_at_gmail.com>
Date: Sun, 5 Jun 2011 15:59:45 +0100

Thanks Joe,

That didnt help. Its really weird. I think I will raise a TAC unless
anyone else has any useful insights?

thanks

On 2 June 2011 14:08, Joe Astorino <joeastorino1982_at_gmail.com> wrote:
> Try putting a range of 0-65535 for your source as well just to see what
> happens. I would be curious. I have seen this before, but the fact that
> you get some packets that show and others that don't seems a little strange.
>
> On Thu, Jun 2, 2011 at 8:13 AM, Muzammil Malick <malickmuz_at_gmail.com> wrote:
>>
>> Hi All
>>
>> Need some advice/help/pointers?
>>
>> I have an access-list as follows:
>>
>> access-list 101 permit udp any 10.0.0.0 0.0.0.255 range 0 1023 log
>> access-list 101 permit udp any 172.16.0.0 0.0.255.255 range 0 1023 log
>>
>> The ip ranges are bogus but this illustrates how my ACLs are configured.
>>
>> My ACL will log traffic matches like this:
>>
>> permitted udp 10.0.0.1(0) -> 10.0.0.2(0), 1 packet
>> permitted udp 172.16.0.18(0) -> 172.16.0.2(0), 1 packet
>>
>> so UDP port 0 is showing up hwoever it also matches traffic for other
>> ports aswell:
>>
>> permitted udp 10.0.0.3(6007) -> 10.0.0.4(80), 1 packet
>> permitted udp 172.16.0.4(8080) -> 172.16.0.5(80), 1 packet
>>
>> I am fairly sure (not 100%) that the UDP port 0 traffic is not really
>> port 0 traffic.
>> I have googled the subject and people mention that this is how IOS
>> reports matches if the ACL is not matching ports
>> but as you can see my ACL is. ALso I cannot find this behaviour
>> mentioned in any Cisco documentation.
>>
>> Does anyone have experience with this?
>>
>>
>> Thanks
>>
>> Muzammil
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
>
>
> --
> Regards,
>
> Joe Astorino
> CCIE #24347
> Blog: http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan

Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 05 2011 - 15:59:45 ART

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:27 ART