Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted

AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

Re: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

 

It appears their are certain flavors of ACL/ACE ESTABLISHED entries that force a debug Permitted LOG.  See the attached TXT file for AOS-CX CLI commands and LOGG results.

 

Note, there is no LOG parameter on the PERMITTED established ACE.

 

Below is a sampling of the attached file:

2020-06-05T09:09:52.204625-05:00 XYZ-1111-IN ops-switchd[3242]: Event|10001|LOG_INFO|AMM|1/1|List XYZ-1111-IN, seq# 44 permitted tcp 10.70.1.51(50139) -> 192.168.88.210(3389) on vlan 1111, port 1/1/44, direction in


../smb/air

Accepted Solutions
Highlighted
MVP Guru

Re: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

Correct. From the ACL config guide:

"log
Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not
permit. The 8320 and 8325 switches do not support logging for ACLs applied on the egress."

 

You can raise this limitation to your local Aruba contact for relaying to product manager.

View solution in original post


All Replies
Highlighted
MVP Guru

Re: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

Correct. From the ACL config guide:

"log
Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not
permit. The 8320 and 8325 switches do not support logging for ACLs applied on the egress."

 

You can raise this limitation to your local Aruba contact for relaying to product manager.

View solution in original post

Highlighted
MVP Guru

Re: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

Hi Giles, am I mistaken (totally possible) or the OP is asking instead why permitted actions related to a permitting ACE without any log operand are logged?

 

ACE:

44 permit tcp XYZ-OBJECT-IPV4-1111-EMP-WIFI DTS-ALL-OBJECT-IPV4-NET-0-0-0-0 established count

Logs:

2020-06-05T09:09:52.204625-05:00 XYZ-1111-IN ops-switchd[3242]: Event|10001|LOG_INFO|AMM|1/1|List XYZ-1111-IN, seq# 44 permitted tcp 10.70.1.51(50139) -> 192.168.88.210(3389) on vlan 1111, port 1/1/44, direction in

Highlighted

Re: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

:

 

Yes.  You worded the issue much better than I.

 

The primary reason I wrote the original discussion is to see if any other airhead has seen this "permitted / established" LOGGING phenomenon.

 

I am concerned that there may be security weaknesses when using an ACE ESTABLISHED.


../smb/air
Highlighted

Re: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

 

Yes, there is a TCP ESTABLISHED LOGGING bug.  See https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/AOS-CX-TL-10-04-0041-DEBUG-ACL-LOG-logging-only-reveals-UDP-ACE/m-p/661120#M10098 for a related problem caused by the TCP PERMIT ...established BUG.


../smb/air
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: