12-15-2009 09:05 PM - edited 03-04-2019 06:59 AM
Hello Folks,
I am using a Catalyst 3560 and I want to block TCP and UDP ports on it. I've read that it is only possible to block incoming traffic on ports. Is that true? I am not sure, how to do this exactly. At the manual for the switch, there are two ways I can think of, that they will give me the success I want to get.
The first one is ACL. I want to get all incomming traffic on a specifig port, for example port 1863, blocked.
Switch# configure terminal
Switch (config) # access-list 102 deny tcp any any eq 1863
Switch (config) # access-list 102 permit tcp any any
Switch (config) # end
I used 102 because it is an extended IP, but I am not quite sure. What can I use IP standard, IP extended, IP standard (expanded range) or IP extended (expanded range) for this? Is the number I use in this range for each of one, used by random decission? Further I want to block any source IP using this port and for the delivery I want to block any destination. Should this work?
Another way I found on the manual is blocking flooded traffic on port.
Switch# configure terminal
Switch (config) # interface gigabitethernet0/1
Switch (config-if) # switchport block multicast
Switch (config-if) # switchport block unicast
Switch (config-if) # end
About this configuration I am absolutely in the dark. This is just an example from the manual. Which interface do I have to use to make the rule for the complete network and how can I find it (command)? Do the switchport block multicast and unicast commands have parameters, e.g. I think of switchport block multicast tcp 1863?
Thanks for help.
Cheers
12-16-2009 01:01 AM
Hello Hans,
the first thing is to understand what the port is doing?
is the port configured as a switchport like
int gi0/1
switchport
swithcport mode access
then this means that it is an OSI layer2 port
an IP access-list is able to process L3 and above information and should be applied to a L3 interface.
If you need to use an extended ACL to specify a TCP port you can use the 100-199 or the equivalent extended range.
Standard ACLs can only match on source address.
the commands switchport block applies to multicast and unknown unicast in order to avoid flooding that for unknown unicast MAC destinations the frame has to be sent out all ports in the same vlan
see
Note:
TCP and multicast are not good companions:
TCP implies sessions and cannot be used with multicast.
if you are dealing with multicast you are dealing with UDP packets.
Hope to help
Giuseppe
12-16-2009 02:02 AM
Thanks for this answer. Can I use the ACL setting than?
12-16-2009 04:43 AM
Hello Hans,
you can use only inbound IP ACLs on a L2 switched port
see
You can apply ACLs only to inbound Layer 2 interfaces. Note these guidelines:
•When controlling access to an interface, you can use a named or numbered ACL.
•If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide