05-12-2022 05:45 AM
iOS 16.3.6 Denali, with ISE 3.6 patch 6 (in monitor mode)
#sh license feature-version
Feature Name Version
----------------------------
ipservices 1.0
ipservices eval 1.0
ipbase 1.0
ipbase eval 1.0
lanbase 1.0
I have created a PACL to block all multicast, and range of port in both directions, I added the log entry to the end of each line
Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log
And on the ports I want this to operate on:
interface GigabitEthernet1/0/33
description *** User Data Port ***
switchport access vlan 80
switchport mode access
switchport block multicast
ip access-group Block-SIM in
ip access-group Block-SIM out
logging event link-status
authentication timer reauthenticate server
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/33
end
From what I read, I should be able to see the counters with:
"sh platform acl counters hardware" but our software does not have that command.
Because the others failed, I added a block on ssh (easier to test) "15 deny tcp any eq 22 any log" - but nothing is ever blocked.
Two questions:
thanks
05-12-2022 07:03 AM - edited 05-12-2022 07:13 AM
Hello,
A couple things. I remember reading that PACLs can only work in the inbound direction (not out). Il have to dig that up. And according to this CISCO doc the "log" keyword, along with a few others, do not work.
Search for Port ACL
You can also try using a MAC based ACL to deny the multicast range of MAC addresses
-David
05-12-2022 07:18 AM
05-12-2022 07:36 AM
Once you apply it, it should take effect. According the the ACL it looks like you are allowing SSH port 22 with the permit tcp any any. Did you mean to deny it?
Try this ACL:
mac access-list extended multicastDeny
deny any 0100.5e00.0000 0000.00ff.ffff
permit any any
int g1/0/33
mac access-group multicastDeny in
You may have to play with extended/standard and named vs numberd MAC ACL depending on your platform.
-David
05-12-2022 08:16 AM
05-12-2022 08:40 AM
Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
15 deny tcp any eq 22 any log <- 15 deny tcp any any eq 22 log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log
cs7#
It looks like your denying based on source port f 22. When you ssh to a client you use a destination port of 22.
-David
05-12-2022 09:23 AM
05-12-2022 10:24 AM
It doesn't look like there is anything wrong with the format. Are you getting confirmation that UDP packets are able to send on ports 7400-7499 from the interface? Maybe you can try testing in on the VLAN interface (applied inbound) where I think you can use the log command to see if anything is hitting it.
-Daivd
05-12-2022 09:01 AM
check this,
you have two PACL
one is push from AAA server
other is your config PACL
so the PACL push from the AAA Server is override "permit any any" you config PACL.
05-12-2022 09:34 AM
05-12-2022 09:52 AM
To be sure remove dot1x config from port then check acl.
Remove config and shut/no shut port to retrun port to unauthorized status.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide