Thanks guys, I had not considered fragmentation. I will look into this.
On 8 June 2011 00:44, Adam Booth <adam.booth_at_gmail.com> wrote:
> Hi,
>
> Maybe the UDP datagrams are being fragmented.
>
> For packets listed as "port 0" possibly IOS interprets that the ACL is
> matching on fragments since the fragments beyond the initial don't contain
> port information?
>
> Perhaps something like ip virtual-reassembly may help? (I'm not sure about
> this but it's useful for NAT and CBAC) or include the "fragments" keyword in
> the acl definition (the problem is that this would not be state based and
> would include any fragments since you cant select ports)
>
> Cheers,
> Adam
>
> On Wed, Jun 8, 2011 at 8:30 AM, Rob Clav <robclav_at_gmail.com> wrote:
>>
>> Hi Muzammil,
>> if it was tcp, then will be traffic from collisions, incomplete or
>> malformed
>> packets. So I deduce that could be the same but for UDP.
>> Hth,
>> Robclav
>>
>> 2011/6/5 Muzammil Malick <malickmuz_at_gmail.com>
>>
>> > Thanks Joe,
>> >
>> > That didnt help. Its really weird. I think I will raise a TAC unless
>> > anyone else has any useful insights?
>> >
>> > thanks
>> >
>> > On 2 June 2011 14:08, Joe Astorino <joeastorino1982_at_gmail.com> wrote:
>> > > Try putting a range of 0-65535 for your source as well just to see
>> > > what
>> > > happens. I would be curious. I have seen this before, but the fact
>> > > that
>> > > you get some packets that show and others that don't seems a little
>> > strange.
>> > >
>> > > On Thu, Jun 2, 2011 at 8:13 AM, Muzammil Malick <malickmuz_at_gmail.com>
>> > wrote:
>> > >>
>> > >> Hi All
>> > >>
>> > >> Need some advice/help/pointers?
>> > >>
>> > >> I have an access-list as follows:
>> > >>
>> > >> access-list 101 permit udp any 10.0.0.0 0.0.0.255 range 0 1023 log
>> > >> access-list 101 permit udp any 172.16.0.0 0.0.255.255 range 0 1023
>> > >> log
>> > >>
>> > >> The ip ranges are bogus but this illustrates how my ACLs are
>> > >> configured.
>> > >>
>> > >> My ACL will log traffic matches like this:
>> > >>
>> > >> permitted udp 10.0.0.1(0) -> 10.0.0.2(0), 1 packet
>> > >> permitted udp 172.16.0.18(0) -> 172.16.0.2(0), 1 packet
>> > >>
>> > >> so UDP port 0 is showing up hwoever it also matches traffic for other
>> > >> ports aswell:
>> > >>
>> > >> permitted udp 10.0.0.3(6007) -> 10.0.0.4(80), 1 packet
>> > >> permitted udp 172.16.0.4(8080) -> 172.16.0.5(80), 1 packet
>> > >>
>> > >> I am fairly sure (not 100%) that the UDP port 0 traffic is not really
>> > >> port 0 traffic.
>> > >> I have googled the subject and people mention that this is how IOS
>> > >> reports matches if the ACL is not matching ports
>> > >> but as you can see my ACL is. ALso I cannot find this behaviour
>> > >> mentioned in any Cisco documentation.
>> > >>
>> > >> Does anyone have experience with this?
>> > >>
>> > >>
>> > >> Thanks
>> > >>
>> > >> Muzammil
>> > >>
>> > >>
>> > >> Blogs and organic groups at http://www.ccie.net
>> > >>
>> > >>
>> > >> _______________________________________________________________________
>> > >> Subscription information may be found at:
>> > >> http://www.groupstudy.com/list/CCIELab.html
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >
>> > >
>> > >
>> > > --
>> > > Regards,
>> > >
>> > > Joe Astorino
>> > > CCIE #24347
>> > > Blog: http://astorinonetworks.com
>> > >
>> > > "He not busy being born is busy dying" - Dylan
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> Robert Clavero
>> CCIE RS/wr, CCNP, CCSP, CCSE NGX, SCSA 9, WLFES, BNP y JNCIA WX
>> blog:http://robclavbcn.blogspot.com
>>
>> web:http://www.kubsolutions.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Jun 08 2011 - 13:41:07 ART
This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART