cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
239
Views
15
Helpful
10
Replies

3650 Port based ACL not working (also how to log/monitor the ACL)

newbieftd
Beginner
Beginner

iOS 16.3.6 Denali, with ISE 3.6 patch 6 (in monitor mode)

#sh license feature-version
Feature Name Version
----------------------------
ipservices 1.0
ipservices eval 1.0
ipbase 1.0
ipbase eval 1.0
lanbase 1.0

 

I have created a PACL to block all multicast, and range of port in both directions, I added the log entry to the end of each line

Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log

 

And on the ports I want this to operate on:

interface GigabitEthernet1/0/33
description *** User Data Port ***
switchport access vlan 80
switchport mode access
switchport block multicast
ip access-group Block-SIM in
ip access-group Block-SIM out

logging event link-status
authentication timer reauthenticate server
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/33
end

 

From what I read, I should be able to see the counters with:

"sh platform acl counters hardware" but our software does not have that command.

Because the others failed, I added a block on ssh (easier to test) "15 deny tcp any eq 22 any log" - but nothing is ever blocked.

 

Two questions:

  1. What isn't the ACL working? Nothing is being stopped
  2. How can I monitor the counters/log? Nothing going to termininal (using term mon), and nothing in the syslog either

thanks 

 

10 Replies 10

David Ruess
Rising star
Rising star

Hello,

 

A couple things. I remember reading that PACLs can only work in the inbound direction (not out). Il have to dig that up. And according to this CISCO doc the "log" keyword, along with a few others, do not work.

 

Catalyst 3560 Switch Software Configuration Guide, Release 12.2(55)SE - Configuring Network Security with ACLs [Cisco Catalyst 3560 Series Switches] - Cisco

 

Search for Port ACL

 

You can also try using a MAC based ACL to deny the multicast range of MAC addresses

 

-David

Thanks for the response, I have it set on in/out, and I can adjust for in only. But it is not blocking a simple inbound to port 22 (ssh).
After setting/applying the ACL to the port, shut/no shut on the port, is there anything else I need to do to have this take affect?

Once you apply it, it should take effect. According the the ACL it looks like you are allowing SSH port 22 with the permit tcp any any. Did you mean to deny it? 

 

Try this ACL:

 

mac access-list extended multicastDeny
deny any 0100.5e00.0000 0000.00ff.ffff
permit any any

 

int g1/0/33
mac access-group multicastDeny in

 

You may have to play with extended/standard and named vs numberd MAC ACL depending on your platform.

 

 

-David

 

Thanks again - my deny ssh rule was near the top (with the other deny), here is the complete acl - so deny ssh is prior to any permits, so should block ssh - correct?
Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
15 deny tcp any eq 22 any log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log
cs7#

Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
15 deny tcp any eq 22 any log   <- 15 deny tcp any any eq 22 log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log
cs7#

 

It looks like your denying based on source port f 22. When you ssh to a client you use a destination port of 22.

 

 

-David

Thanks - updating the deny rule made it block ssh, so I at least know the ACL rule is working.
Is there anything wrong with the format of:
10 deny udp any range 7400 7499 any range 7400 7499 log ?

I want it to deny any inbound UDP traffic within the port range of 7400-7499

It doesn't look like there is anything wrong with the format. Are you getting confirmation that UDP packets are able to send on ports 7400-7499 from the interface? Maybe you can try testing in on the VLAN interface (applied inbound) where I think you can use the log command to see if anything is hitting it.

 

-Daivd

MHM Cisco World
Advisor
Advisor

check this, 
you have two PACL 

one is push from AAA server 
other is your config PACL 

so the PACL push from the AAA Server is override "permit any any" you config PACL.

Thanks, but not sure what you mean by "AAA override" - are you saying ISE is overriding my Block-SIM ACL?
Here is the port config - where/how is it overridden?
interface GigabitEthernet1/0/33
description *** User Data Port ***
switchport access vlan 80
switchport mode access
switchport block multicast
ip access-group Block-SIM in
logging event link-status
authentication timer reauthenticate server
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/33
end

policy-map type control subscriber POLICY_Gi1/0/33
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
!

To be sure remove dot1x config from port then check acl.

Remove config and shut/no shut port to retrun port to unauthorized status.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers