this is a weird one.
its almost like in this post but upped a notch.
I have an extended, named, ipv4 access-list with exclusively ACEs containing object-groups. It is bound to a vlan-interface, so I'm checking all the boxes as per documentation.
I know I need to add the "log" for ACEs I want to see matches for, as only then it goes through software and counts them up, so for testing i have every ACE being logged...but:
- none of the ACEs ever show up in the logs or have hits
- i know the ACEs are hit and enforced to traffic as connections/pings drop or are conducted according to ACL changes
- putting a no-object-groups ACE somewhere in the mix after a hitting object-group ACE (with the log statement) shows the message from the previous hit
- the log message has the action (allowed/denied) of the permission of the non-object-group ACE to it. So for example an ACL with "10 permit icmp object-group net1 any log" and being closed by "200 deny ip any any log" will result in "%SEC-6-IPACCESSLOGDP: list xy denied icmp 10.21.31.41 -> 10.20.30.40 (0/0)" although the ping went through just fine.
- the log-generating ACE will have the hitcount go up.
another example:
ip access-l ext xy 10 deny ip any object-group priv-net log 11 deny ip any host 169.254.169.254 log (846 matches) 20 permit ip any any sh object-group Network object group priv-net 192.168.0.0 255.255.0.0 10.20.0.0 255.255.0.0 169.254.0.0 255.255.0.0 172.16.0.0 255.248.0.0 172.24.0.0 255.252.0.0 172.31.0.0 255.255.255.0 10.30.0.0 255.255.0.0 host 169.254.169.254 i specificially added the "host" entry to the object-group aswell to make sure I'm not running into some masking brainfart or typo. But ACE 11 gets all the hits and logs, whereas traffic isn't allowed aswell after removing 11
"sh ip access-list xy exp" also expands the object-group just fine and i have in fact the same 2 lines above each other
No comments:
Post a Comment