cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
213
Views
15
Helpful
10
Replies

3650 Port based ACL not working (also how to log/monitor the ACL)

newbieftd
Beginner
Beginner

iOS 16.3.6 Denali, with ISE 3.6 patch 6 (in monitor mode)

#sh license feature-version
Feature Name Version
----------------------------
ipservices 1.0
ipservices eval 1.0
ipbase 1.0
ipbase eval 1.0
lanbase 1.0

 

I have created a PACL to block all multicast, and range of port in both directions, I added the log entry to the end of each line

Extended IP access list Block-SIM
10 deny udp any range 7400 7499 any range 7400 7499 log
20 permit tcp any any log
30 permit udp any any log
40 permit ip any any log

 

And on the ports I want this to operate on:

interface GigabitEthernet1/0/33
description *** User Data Port ***
switchport access vlan 80
switchport mode access
switchport block multicast
ip access-group Block-SIM in
ip access-group Block-SIM out

logging event link-status
authentication timer reauthenticate server
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/33
end

 

From what I read, I should be able to see the counters with:

"sh platform acl counters hardware" but our software does not have that command.

Because the others failed, I added a block on ssh (easier to test) "15 deny tcp any eq 22 any log" - but nothing is ever blocked.

 

Two questions:

  1. What isn't the ACL working? Nothing is being stopped
  2. How can I monitor the counters/log? Nothing going to termininal (using term mon), and nothing in the syslog either

thanks 

 

10 REPLIES 10

David Ruess
Rising star
Rising star

Hello,

 

A couple things. I remember reading that PACLs can only work in the inbound direction (not out). Il have to dig that up. And according to this CISCO doc the "log" keyword, along with a few others, do not work.

 

Catalyst 3560 Switch Software Configuration Guide, Release 12.2(55)SE - Configuring Network Security with ACLs [Cisco Catalyst 3560 Series Switches] - Cisco

 

Search for Port ACL

 

You can also try using a MAC based ACL to deny the multicast range of MAC addresses

 

-David

Thanks for the response, I have it set on in/out, and I can adjust for in only. But it is not blocking a simple inbound to port 22 (ssh).
After setting/applying the ACL to the port, shut/no shut on the port, is there anything else I need to do to have this take affect?

Once you apply it, it should take effect. According the the ACL it looks like you are allowing SSH port 22 with the permit tcp any any. Did you mean to deny it? 

 

Try this ACL:

 

mac access-list extended multicastDeny
deny any 0100.5e00.0000 0000.00ff.ffff
permit any any

 

int g1/0/33
mac access-group multicastDeny in

 

You may have to play with extended/standard and named vs numberd MAC ACL depending on your platform.

 

 

-David