2

I have an ACL to prevent regular workstations from accessing the management vlan on our switch. Every 5 minutes we get the following log entry:

%SEC-6-IPACCESSLOGS: list mgtvlan-acl denied 0.0.0.0 20 packets

The switch is a Cisco 3750G running IOS C3750-IPBASEK9-M, Version 12.2(52) SE

The acl is:

ip access-list standard mgtvlan-acl
permit [management workstation netowrk]
permit [other management networks]
deny any log

The acl is applied to the layer 3 interface called Vlan50

interface Vlan50
  description management vlan
  ip address 199.254.98.xx 255.255.255.192
  ip access-group mgtvlan-acl in

I've tried various debug commands and ip accounting on the vlan50 interface. I also turned on terminal monitor just to make sure I could see everything without relying on the syslog server.

Is there any way I can get more information on what these packets are or where they are coming from (which physical interface) without going through the hassle of setting up wireshark?

murisonc
  • 2,968
  • 2
  • 21
  • 31

2 Answers2

2

if it helps, that's the message I would expect if something on the management vlan was trying to contact a dhcp server.

longneck
  • 23,082
  • 4
  • 52
  • 86
2

Two things I would do:

1) convert to an extended ACL so you can log destination IP address

2) see if your switch supports the 'log-input' argument at the end of an access expression. Log input records the source Mac of the frame which will help you find the culprit.

As mentioned above dhcp is a good guess based on the data you have so far

Jason Seemann
  • 1,120
  • 6
  • 9
  • Perfect. I created an identical extended ACL and got the mac address. Mac table lookup showed the port. The nic on the server isn't being used and kept trying to get an IP. – murisonc Apr 26 '13 at 19:29