cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
6004
Views
30
Helpful
23
Replies

Block rdp access on my switch

ohareka70
Level 3
Level 3

Hello,

I am trying to block access from switch on vlan7 outbound for tcp/3389.  My IP is 10.230.1.99 

 

interface Vlan7

ip address 10.230.1.220 255.255.255.192

ip access-group BLOCK_RDP in

ip access-group BLOCK_RDP out

 

ip access-list extended BLOCK_RDP

deny   tcp any any eq 3389

deny   udp any any eq 3389

permit ip any any

 

access-list 11 permit 10.230.1.99

 

I am not getting any matches though and RDP access is still working

#sh ip access-lists

Extended IP access list BLOCK_RDP
    10 deny tcp any any eq 3389
    30 deny udp any any eq 3389
    40 permit ip any any (151 matches)

 

2 Accepted Solutions

Accepted Solutions

Hello

I suppose you can do it from the host pc that you want to deny access with a fw rule or something but not from the L2 switch

To negate RDP from a host on the network the access-list has to be on a routed (l3) interface of the device performing the routing, The L3 interface on a L2 switch is just for mgt access to the switch nothing more.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul

View solution in original post

L2 Switch  NO in short answer, ACL required to be applied always @ L3 interface where the traffic passing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

23 Replies 23

balaji.bandi
Hall of Fame
Hall of Fame

what is the gateway for this IP address : 10.230.1.99  ( i do not believe this is part of the subnet of VLAN7)

 

can you post ipconfig/all from PC output ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ip default-gateway 10.230.7.254

I have posted a config above 

Hello


@ohareka70 wrote:

Hello,

I am trying to block access from switch on vlan7 outbound for tcp/3389.  My IP is 10.230.1.99 

 

interface Vlan7

ip address 10.230.1.220 255.255.255.192

ip access-group BLOCK_RDP in

ip access-group BLOCK_RDP out

 

ip access-list extended BLOCK_RDP

deny   tcp any any eq 3389

deny   udp any any eq 3389

permit ip any any

 

 

 

I am not getting any matches though and RDP access is still working

#sh ip access-lists

Extended IP access list BLOCK_RDP
    10 deny tcp any any eq 3389
    30 deny udp any any eq 3389
    40 permit ip any any (151 matches)

 


Reason being the host is in the wrong subnet for vlan 7 so the acl appended to the svi vlan 7 inst being matched for that host:

10.230.1.99/26 - hosts  10.230.1.66 -126
10.230.1.220/26 -  hosts 10.230.1.193 -254  =  vlan 7


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul

Paul,

I have changed the IP address to .70 now but still not hits for blocking port 3389

I have posted the config if you dont mind taking a look

 

SW03#sh run

version 15.2

no ip source-route

no ip gratuitous-arps

vtp domain ttttt

vtp mode transparent

mls qos

 

vlan 2-7,9,12,14-16

!

vlan 21

name WIFI_USRS

!

vlan 257

name voice

!

vlan 500-501

!

lldp run

 

interface GigabitEthernet1/0/1

description Phone and PC

switchport access vlan 7

switchport mode access

switchport voice vlan 257

priority-queue out

no snmp trap link-status

mls qos trust dscp

spanning-tree portfast

spanning-tree bpduguard enable

!

etc

interface GigabitEthernet1/0/49

description primary uplink

switchport trunk allowed vlan 1,7,8,20,21,257

switchport mode trunk

 

interface GigabitEthernet1/0/50

description Sw-L3-01

switchport mode trunk

 

 

interface Vlan1

description Mgmt VLAN

ip address 10.230.31.7 255.255.255.0 secondary

ip address 10.230.7.198 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

 

interface Vlan7

ip address 10.230.1.70 255.255.255.192

ip access-group BLOCK_RDP in

ip access-group BLOCK_RDP out

 

ip default-gateway 10.230.7.254

 

ip access-list extended BLOCK_RDP

deny   tcp any any eq 3389

deny   udp any any eq 3389

permit ip any any

 

access-list 11 permit 10.230.1.99

vstack

Hello,

 

what is the target IP address for the RDP traffic that is supposed to be blocked ? Are the 'ip any any' hits increasing in sync with your attempts to connect through RDP ? Do a 'debug ip packet' and post the output here during an attempt to connect through RDP...

Hello

do you have ip routing enabled on the switch - can your host ping all the l3 svi's of the switch

 

How are you testing this? - a telnet session on port 3389 to the svi 7 of the switch and if so how have you created a rdp session on the switch?

or do you have an additional host on this vlan that is rdp active?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul

Yes - i can ping all SVI's which are on the layer 3 distribution switch (next hop)

 

Show access-lists

Extended IP access list BLOCK_RDP

    10 deny tcp any any eq 3389

    30 deny udp any any eq 3389

    40 permit ip any any (9821 matches) THIS IS INCREASING

 

BRECOMSW03#debug ip packet

IP packet debugging is on

NOTHING SHOWING

 

Maybe the problem is i am connected on this switch with my laptop via port 37 and i am trying to block microsoft rdp access from my laptop to 10.224.3.157 but though i could do it at switch level

Hello,

 

where is the Vlan for 10.224.3.157 ? You are missing something fundamental. Post the full running configuration of the switch (sh run)...

This IP is from a different Office.  I can ping that IP and remote on the server ok.  What i want to do is restrict tcp/3389 from the local switch to it.  Is that possible?

Try and apply the access list to the Vlan 1 interface:

 

interface Vlan1

description Mgmt VLAN

ip address 10.230.31.7 255.255.255.0 secondary

ip address 10.230.7.198 255.255.255.192

ip access-group BLOCK_RDP in

ip access-group BLOCK_RDP out

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

Sorry but that didnt work

ok Not sure you hit the right gateway here.

 

here is my understanding and like to know more inputs from you :

 

PC has IP address  - 10.230.1.99 

Which is connected same Switch port  37 ( can you post the Port 37 config ) - suggest to post full config of the switch. ( show run)

what is the 10.230.1.99  gateway (is this static configured or getting from DHCP) - can you post ipconfig /all  screenshot

from PC can you also send the output traceroute 10.224.3.157

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I have attached what you require

I think their is something not right with the deny statement 

Hello


@ohareka70 wrote:

Maybe the problem is i am connected on this switch with my laptop via port 37 and i am trying to block microsoft rdp access from my laptop to 10.224.3.157 but though i could do it at switch level


You should be able to and that acl looks applicable to do so also for inter-vlan routing! you may need to apply the acl to the vlan that is connecting upstream towards your wan, however can you first clarify ---

You have a host 10.230.1.99/26 in a access port assigned to vlan 7  pointing to a D/G 10.230.1.70/26 which is the L3 SVI of vlan 7 that resides on the L3 switch and you are testing a RDP connection initiated from this host 10.230.1.99 towards 10.224.3.157- correct ?



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco

Ā