Showing results for 
Search instead for 
Did you mean: 

3650 Port based ACL not working (also how to log/monitor the ACL)


iOS 16.3.6 Denali, with ISE 3.6 patch 6 (in monitor mode)

#sh license feature-version
Feature Name Version
ipservices 1.0
ipservices eval 1.0
ipbase 1.0
ipbase eval 1.0
lanbase 1.0


I have created a PACL to block all multicast, and range of port in both directions, I added the log entry to the end of each line

Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log


And on the ports I want this to operate on:

interface GigabitEthernet1/0/33
description *** User Data Port ***
switchport access vlan 80
switchport mode access
switchport block multicast
ip access-group Block-SIM in
ip access-group Block-SIM out

logging event link-status
authentication timer reauthenticate server
access-session port-control auto
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/33


From what I read, I should be able to see the counters with:

"sh platform acl counters hardware" but our software does not have that command.

Because the others failed, I added a block on ssh (easier to test) "15 deny tcp any eq 22 any log" - but nothing is ever blocked.


Two questions:

  1. What isn't the ACL working? Nothing is being stopped
  2. How can I monitor the counters/log? Nothing going to termininal (using term mon), and nothing in the syslog either




David Ruess
Rising star
Rising star



A couple things. I remember reading that PACLs can only work in the inbound direction (not out). Il have to dig that up. And according to this CISCO doc the "log" keyword, along with a few others, do not work.


Catalyst 3560 Switch Software Configuration Guide, Release 12.2(55)SE - Configuring Network Security with ACLs [Cisco Catalyst 3560 Series Switches] - Cisco


Search for Port ACL


You can also try using a MAC based ACL to deny the multicast range of MAC addresses



Thanks for the response, I have it set on in/out, and I can adjust for in only. But it is not blocking a simple inbound to port 22 (ssh).
After setting/applying the ACL to the port, shut/no shut on the port, is there anything else I need to do to have this take affect?

Once you apply it, it should take effect. According the the ACL it looks like you are allowing SSH port 22 with the permit tcp any any. Did you mean to deny it? 


Try this ACL:


mac access-list extended multicastDeny
deny any 0100.5e00.0000 0000.00ff.ffff
permit any any


int g1/0/33
mac access-group multicastDeny in


You may have to play with extended/standard and named vs numberd MAC ACL depending on your platform.