Hi,
Maybe the UDP datagrams are being fragmented.
For packets listed as "port 0" possibly IOS interprets that the ACL is
matching on fragments since the fragments beyond the initial don't contain
port information?
Perhaps something like ip virtual-reassembly may help? (I'm not sure about
this but it's useful for NAT and CBAC) or include the "fragments" keyword in
the acl definition (the problem is that this would not be state based and
would include any fragments since you cant select ports)
Cheers,
Adam
On Wed, Jun 8, 2011 at 8:30 AM, Rob Clav <robclav_at_gmail.com> wrote:
> Hi Muzammil,
> if it was tcp, then will be traffic from collisions, incomplete or
> malformed
> packets. So I deduce that could be the same but for UDP.
> Hth,
> Robclav
>
> 2011/6/5 Muzammil Malick <malickmuz_at_gmail.com>
>
> > Thanks Joe,
> >
> > That didnt help. Its really weird. I think I will raise a TAC unless
> > anyone else has any useful insights?
> >
> > thanks
> >
> > On 2 June 2011 14:08, Joe Astorino <joeastorino1982_at_gmail.com> wrote:
> > > Try putting a range of 0-65535 for your source as well just to see what
> > > happens. I would be curious. I have seen this before, but the fact
> that
> > > you get some packets that show and others that don't seems a little
> > strange.
> > >
> > > On Thu, Jun 2, 2011 at 8:13 AM, Muzammil Malick <malickmuz_at_gmail.com>
> > wrote:
> > >>
> > >> Hi All
> > >>
> > >> Need some advice/help/pointers?
> > >>
> > >> I have an access-list as follows:
> > >>
> > >> access-list 101 permit udp any 10.0.0.0 0.0.0.255 range 0 1023 log
> > >> access-list 101 permit udp any 172.16.0.0 0.0.255.255 range 0 1023 log
> > >>
> > >> The ip ranges are bogus but this illustrates how my ACLs are
> configured.
> > >>
> > >> My ACL will log traffic matches like this:
> > >>
> > >> permitted udp 10.0.0.1(0) -> 10.0.0.2(0), 1 packet
> > >> permitted udp 172.16.0.18(0) -> 172.16.0.2(0), 1 packet
> > >>
> > >> so UDP port 0 is showing up hwoever it also matches traffic for other
> > >> ports aswell:
> > >>
> > >> permitted udp 10.0.0.3(6007) -> 10.0.0.4(80), 1 packet
> > >> permitted udp 172.16.0.4(8080) -> 172.16.0.5(80), 1 packet
> > >>
> > >> I am fairly sure (not 100%) that the UDP port 0 traffic is not really
> > >> port 0 traffic.
> > >> I have googled the subject and people mention that this is how IOS
> > >> reports matches if the ACL is not matching ports
> > >> but as you can see my ACL is. ALso I cannot find this behaviour
> > >> mentioned in any Cisco documentation.
> > >>
> > >> Does anyone have experience with this?
> > >>
> > >>
> > >> Thanks
> > >>
> > >> Muzammil
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Joe Astorino
> > > CCIE #24347
> > > Blog: http://astorinonetworks.com
> > >
> > > "He not busy being born is busy dying" - Dylan
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Robert Clavero
> CCIE RS/wr, CCNP, CCSP, CCSE NGX, SCSA 9, WLFES, BNP y JNCIA WX
> blog:http://robclavbcn.blogspot.com
>
> web:http://www.kubsolutions.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Jun 08 2011 - 09:44:13 ART
This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART