Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
2
Replies

Monitoring a PACL on a 2960X

donohoecompanies
Level 1
Level 1

‎01-07-2020 10:55 AM

We've applied the following PACL on our 2960X access switches:


access-list 170 deny ip 172.16.7.0 0.0.0.255 172.16.7.0 0.0.0.255
access-list 170 permit ip 172.16.7.0 0.0.0.255 any
access-list 170 permit udp any host 255.255.255.255 eq bootps
access-list 170 deny ip any any

All our clients are in the 172.16.7.0-255 range, so this ACL denies them from communicating with each other and only allows a 172.16.7.0-255 IP to reach our servers and the internet. It's to help prevent lateral movement from a compromised endpoint. We've had the rules in place for a couple weeks now without any issues.

 

When we do a "sh access-list" on the switch, the last rule "deny ip any any" is getting a lot of matches, which is surprising to us. We tried setting up a VLAN port mirror and doing a packet capture, but I think the PACL is filtering the packets before they'd hit the port mirror and show up on in Wireshark.

 

Is there anyway for us to see what that rule is actually catching?

Do anyone have any ideas what that rule might be catching?

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎01-07-2020 03:04 PM

access-list 170 deny ip any any log

 

#terminal monitor

 

or logging to buffer as informational

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

donohoecompanies
Level 1
Level 1
In response to balaji.bandi

‎01-07-2020 03:07 PM - edited ‎01-07-2020 05:50 PM

My research indicates the 2960X can only log router ACLs and cannot log port ACLs. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card