I have an ACL which is supposed to deny all traffic except what's required for the client provisioning process. I can see the counter on the deny ACE increment when my client fails to connect, but I'm having trouble identifying exactly which IP/port it's trying to connect to.
What I've tried so far:
I did a packet capture on the DNS server and watched for it's DNS requests. But I think there must be some connections that don't show up in there (maybe some statically configured IPs).
Then I tried:
debug packet logging acl eth 1 permit any <mac-addr> debug packet logging acl eth 2 permit <mac-addr> any debug packet logging enable all
But, this doesn't seem to show what I want. I think it's only showing packets sent to the CPU (I'm only seeing DHCP packets), and regular packets hitting the ACL must not be included here? Maybe I'm using it wrong?
Any good ideas of how to do this?
No comments:
Post a Comment