Thanks for the response, I have it set on in/out, and I can adjust for in only. But it is not blocking a simple inbound to port 22 (ssh).
After setting/applying the ACL to the port, shut/no shut on the port, is there anything else I need to do to have this take affect?

Once you apply it, it should take effect. According the the ACL it looks like you are allowing SSH port 22 with the permit tcp any any. Did you mean to deny it? 

 

Try this ACL:

 

mac access-list extended multicastDeny
deny any 0100.5e00.0000 0000.00ff.ffff
permit any any

 

int g1/0/33
mac access-group multicastDeny in

 

You may have to play with extended/standard and named vs numberd MAC ACL depending on your platform.

 

 

-David

 

Thanks again - my deny ssh rule was near the top (with the other deny), here is the complete acl - so deny ssh is prior to any permits, so should block ssh - correct?
Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
15 deny tcp any eq 22 any log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log
cs7#

Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
15 deny tcp any eq 22 any log   <- 15 deny tcp any any eq 22 log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log
cs7#

 

It looks like your denying based on source port f 22. When you ssh to a client you use a destination port of 22.

 

 

-David

Thanks - updating the deny rule made it block ssh, so I at least know the ACL rule is working.
Is there anything wrong with the format of:
10 deny udp any range 7400 7499 any range 7400 7499 log ?

I want it to deny any inbound UDP traffic within the port range of 7400-7499

It doesn't look like there is anything wrong with the format. Are you getting confirmation that UDP packets are able to send on ports 7400-7499 from the interface? Maybe you can try testing in on the VLAN interface (applied inbound) where I think you can use the log command to see if anything is hitting it.

 

-Daivd

Thanks, but not sure what you mean by "AAA override" - are you saying ISE is overriding my Block-SIM ACL?
Here is the port config - where/how is it overridden?
interface GigabitEthernet1/0/33
description *** User Data Port ***
switchport access vlan 80
switchport mode access
switchport block multicast
ip access-group Block-SIM in
logging event link-status
authentication timer reauthenticate server
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/33
end

policy-map type control subscriber POLICY_Gi1/0/33
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
!

To be sure remove dot1x config from port then check acl.

Remove config and shut/no shut port to retrun port to unauthorized status.