We've applied the following PACL on our 2960X access switches:

access-list 170 deny ip 172.16.7.0 0.0.0.255 172.16.7.0 0.0.0.255
access-list 170 permit ip 172.16.7.0 0.0.0.255 any
access-list 170 permit udp any host 255.255.255.255 eq bootps
access-list 170 deny ip any any

All our clients are in the 172.16.7.0-255 range, so this ACL denies them from communicating with each other and only allows a 172.16.7.0-255 IP to reach our servers and the internet. It's to help prevent lateral movement from a compromised endpoint. We've had the rules in place for a couple weeks now without any issues.

When we do a "sh access-list" on the switch, the last rule "deny ip any any" is getting a lot of matches, which is surprising to us. We tried setting up a VLAN port mirror and doing a packet capture, but I think the PACL is filtering the packets before they'd hit the port mirror and show up on in Wireshark.

Is there anyway for us to see what that rule is actually catching?

Do anyone have any ideas what that rule might be catching?