Solved: Re: Block rdp access on my switch - Page 2

ohareka70 · ‎01-03-2020

Hello,

I am trying to block access from switch on vlan7 outbound for tcp/3389. My IP is 10.230.1.99

interface Vlan7

ip address 10.230.1.220 255.255.255.192

ip access-group BLOCK_RDP in

ip access-group BLOCK_RDP out

ip access-list extended BLOCK_RDP

deny tcp any any eq 3389

deny udp any any eq 3389

permit ip any any

access-list 11 permit 10.230.1.99

I am not getting any matches though and RDP access is still working

#sh ip access-lists

Extended IP access list BLOCK_RDP
    10 deny tcp any any eq 3389
    30 deny udp any any eq 3389
    40 permit ip any any (151 matches)

ohareka70 · ‎01-04-2020

You have a host 10.230.1.99/26 in a access port assigned to vlan 7 YES

pointing to a D/G 10.230.70/26 which is the L3 SVI of vlan 7 that resides on the L3 switch - NO the Gateway is 10.230.1.126

and you are testing a RDP connection initiated from this host 10.230.1.99 towards 10.224.3.157- correct ? YES

SVI on the Layer 3 switch

interface Vlan7

description Telem Hut Access VLAN 7

ip address 10.230.1.126 255.255.255.192

balaji.bandi · ‎01-04-2020

Don't you think you are confusing this thread here?

One of the post you VLAN 7 different IP address, another post you have changed to .70

now your post has 10.230.1.126

So we are not sure how many devices you have here, how they are connected.

best to suggest you, Do post full running-config, rather we always assume here.

Are you reading earlier message requested to post traceroute?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎01-06-2020

Hello

I am wondering if this is an access switch your are trying this on?

Can you confirm is this switch is performing the intervlan routing for your network or is it just an access switch, if the latter then this would be the reason why it isn't working!

As the access-list needs to be applied to the routing device for your network not any access switch? so either a router or a L3 switch.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ohareka70 · ‎01-06-2020

Q How would you block access to RDP from a layer 2 switch

Just ignore my config and if you could advise on how you would do it

My requirements is that i am on a layer 2 access switch and i want to restrict rdp from the user pcs to the server vlan 10.224.x.x which sits on a different switch in the campus lan

paul driver · ‎01-06-2020

Hello

I suppose you can do it from the host pc that you want to deny access with a fw rule or something but not from the L2 switch

To negate RDP from a host on the network the access-list has to be on a routed (l3) interface of the device performing the routing, The L3 interface on a L2 switch is just for mgt access to the switch nothing more.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ohareka70 · ‎01-06-2020

Thanks for your help on this - I might wait till after hours and try this

Layer 2 switch Delete - ip access-list extended BLOCK_RDP

Layer 3 routing switch

interface Vlan7

ip address 10.230.1.126 255.255.255.192

ip access-group BLOCK_RDP in

ip access-group BLOCK_RDP out

ip access-list extended BLOCK_RDP

deny tcp any any eq 3389

deny udp any any eq 3389

permit ip any any

balaji.bandi · ‎01-06-2020

L2 Switch NO in short answer, ACL required to be applied always @ L3 interface where the traffic passing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ohareka70 · ‎01-06-2020

Thanks for your help as well

Georg Pauwen · ‎01-03-2020

Hello,

on a side note, since you are getting hits on 'ip any any', make sure that your RDP host is actually using port 3389 and not a different one...