I have an ACL to prevent regular workstations from accessing the management vlan on our switch. Every 5 minutes we get the following log entry:
%SEC-6-IPACCESSLOGS: list mgtvlan-acl denied 0.0.0.0 20 packets
The switch is a Cisco 3750G running IOS C3750-IPBASEK9-M, Version 12.2(52) SE
The acl is:
ip access-list standard mgtvlan-acl
permit [management workstation netowrk]
permit [other management networks]
deny any log
The acl is applied to the layer 3 interface called Vlan50
interface Vlan50
description management vlan
ip address 199.254.98.xx 255.255.255.192
ip access-group mgtvlan-acl in
I've tried various debug commands and ip accounting on the vlan50 interface. I also turned on terminal monitor just to make sure I could see everything without relying on the syslog server.
Is there any way I can get more information on what these packets are or where they are coming from (which physical interface) without going through the hassle of setting up wireshark?
if it helps, that's the message I would expect if something on the management vlan was trying to contact a dhcp server.
Two things I would do:
1) convert to an extended ACL so you can log destination IP address
2) see if your switch supports the 'log-input' argument at the end of an access expression. Log input records the source Mac of the frame which will help you find the culprit.
As mentioned above dhcp is a good guess based on the data you have so far