Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
25
Helpful
9
Replies

Setting up notification for ACL denies

Cryen
Level 1
Level 1

‎08-11-2022 02:13 AM

Hi,

I want to set up Notifications when an unknown Device Plugs into a Catalyst 3750 that is not in the ACL.

I just seem to can't figure out how to do it.

Labels:
0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎08-11-2022 02:48 AM - edited ‎08-11-2022 02:48 AM

deny any any log <<- this what you need, add it to end of ACL

0 Helpful

Cryen
Level 1
Level 1
In response to MHM Cisco World

‎08-11-2022 04:10 AM

I tried this, but it says that the command is not known

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎08-11-2022 03:59 AM 

I want to set up Notifications when an unknown Device Plugs into a Catalyst 3750 that is not in the ACL.

what kind of ACL you have, IP ACL contains IP address, when the device plugged in the IP ACL may not have effect, if this is MAC ACL - or if the port have security configure, you will see log syslog message(if the logging is configured)

based on the syslog message - you can EEM Script to notify you email, also you like to action to shutdown the port can also be possible.

is this make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Cryen
Level 1
Level 1
In response to balaji.bandi

‎08-11-2022 04:13 AM

Hi, 
it is an extended MAC ACL that i created with a Name.

I configured a bunch of permitted devices and at the end a "deny any any"

I can't the "log" at the end. Can you explain how to configure Port Security so it is logged and how to configure the EEM Script?

balaji.bandi
Hall of Fame
Hall of Fame
In response to Cryen

‎08-11-2022 06:30 AM

Thats the Limitation of MAC ACL, other option you can setup trap for MAC address and send to syslog and make out of the box report.

 

snmp-server enable traps MAC-Notification
snmp-server host x.x.x.x
!
interface gigx/x
snmp trap mac-notification added
snmp trap mac-notification removed

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Cryen
Level 1
Level 1

‎08-11-2022 04:15 AM

Config is something like this:

conf t

mac access-list extendend acl

permit host xxxx.xxxx.xxxx any
permit host xxxx.xxxx.xxxx any
permit host xxxx.xxxx.xxxx any
permit host xxxx.xxxx.xxxx any
permit host xxxx.xxxx.xxxx any
permit host xxxx.xxxx.xxxx any
permit host xxxx.xxxx.xxxx any
permit host xxxx.xxxx.xxxx any
permit host xxxx.xxxx.xxxx any
deny any any

All Interfaces have this ACL configured

MHM Cisco World
VIP
VIP
In response to Cryen

‎08-11-2022 04:36 AM

Sorry the MAC ACL not support any LOG because 
let explain 
the MAC ACL is HW ACL i.e. done in TCAM not in CPU, the LOG message is generate from CPU and since the MAC ACL not run in CPU it not support LOG.

Cryen
Level 1
Level 1
In response to MHM Cisco World

‎08-11-2022 04:55 AM

Hi,
sad to hear that, but if that is the case then i guess it is not possible.

msrsu
Level 1
Level 1

‎08-11-2022 06:50 AM

I am also dealing with this problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card