Blog |Follow Nick on Twitter| About
 

ACL syslog correlation is a Cisco IOS feature which provides the ability to identify which access list entry (ACE) was responsible for a permit or deny action appearing in syslog.

Consider the following access list applied to filter externally-sourced traffic destined for the internal network:

Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
    10 permit icmp any any echo-reply
    20 permit udp any eq domain any
    30 permit tcp any any established
    40 permit tcp any host 172.16.0.202 eq www
    50 deny tcp any any eq 22 log
    999 deny ip any any

Lines 10 through 40 allow miscellaneous traffic types in, and line 50 explicitly denies inbound traffic destined to TCP/22 for the purpose of logging. Line 60 defines an explicit "deny any"; this isn't required, but included here for clarity.

When an inbound packet is matched and discard by rule 50, the following syslog message is generated:

%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(57289) ->
 10.0.0.1(22), 1 packet

This log message informs the administrator of the action taken and the ACL which matched the packet, but in some cases we may want more detail readily available. This is where ACL hash correlation comes in handy. We can redefine the ACL rule to include an arbitrary keyword, up to 64 characters in length:

Router(config)# ip access-list ext EXTERNAL->INTERNAL
Router(config-ext-nacl)# 50 deny tcp any any eq 22 log Deny_SSH
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
    10 permit icmp any any echo-reply
    20 permit udp any eq domain any
    30 permit tcp any any established
    40 permit tcp any host 172.16.0.202 eq www
    50 deny tcp any any eq 22 log (tag = Deny_SSH)
    999 deny ip any any

Now when that rule discards a packet, its log message includes our tag:

%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(54843) ->
 10.0.0.1(22), 1 packet  [Deny_SSH]

These tags can be reused by multiple ACEs. Continuing our example, say we also want to deny traffic to SSH servers running on an alternate port, TCP/2222:

Router(config)# ip access-list ext EXTERNAL->INTERNAL
Router(config-ext-nacl)# 60 deny tcp any any eq 2222 log Deny_SSH
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
    10 permit icmp any any echo-reply
    20 permit udp any eq domain any
    30 permit tcp any any established
    40 permit tcp any host 172.16.0.202 eq www
    50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH)
    60 deny tcp any any eq 2222 log (tag = Deny_SSH)
    999 deny ip any any

ACL logging tags are great for readily identifying ACE matches, particularly when you expect certain matches to occur, but manually defining a tag for each ACE isn't always practical. This is especially true when you want to maintain syslog correlation among hundreds or thousands of individual ACL rules. In such cases, automatically generated hashes would be the preferred option. Automatic hashing is enabled globally, and applied to any ACE with the log keyword with no argument following it.

Here we enable hash generation and add a few more ACEs to our ACL:

Router(config)# ip access-list logging hash-generation
Router(config)# ip access-list extended EXTERNAL->INTERNAL
Router(config-ext-nacl)# 70 deny tcp any any eq 1000 log
Router(config-ext-nacl)# 80 deny tcp any any eq 2000 log
Router(config-ext-nacl)# 90 deny tcp any any eq 3000 log
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
    10 permit icmp any any echo-reply
    20 permit udp any eq domain any
    30 permit tcp any any established
    40 permit tcp any host 172.16.0.202 eq www
    50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH)
    60 deny tcp any any eq 2222 log (tag = Deny_SSH)
    70 deny tcp any any eq 1000 log (hash = 0x594F8697)
    80 deny tcp any any eq 2000 log (hash = 0xE471528C)
    90 deny tcp any any eq 3000 log (hash = 0x34CC0DD6)
    999 deny ip any any

As expected, a trigger by any of the ACEs with a hash appended works just as it does with tags:

%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(21196) ->
 10.0.0.1(1000), 1 packet  [0x594F8697]

While not immediately useful, a hash can be used to filter an ACL configuration and quickly identify the ACE responsible for an action:

Router# show ip access-lists EXTERNAL->INTERNAL | include 594F8697
    70 deny tcp any any eq 1000 log (1 match) (hash = 0x594F8697)

9 comments

rgds,

Nick

 
Nick Bettison ©