01-03-2020 08:25 AM
Hello,
I am trying to block access from switch on vlan7 outbound for tcp/3389. My IP is 10.230.1.99
interface Vlan7
ip address 10.230.1.220 255.255.255.192
ip access-group BLOCK_RDP in
ip access-group BLOCK_RDP out
ip access-list extended BLOCK_RDP
deny tcp any any eq 3389
deny udp any any eq 3389
permit ip any any
access-list 11 permit 10.230.1.99
I am not getting any matches though and RDP access is still working
#sh ip access-lists
Extended IP access list BLOCK_RDP
10 deny tcp any any eq 3389
30 deny udp any any eq 3389
40 permit ip any any (151 matches)
Solved! Go to Solution.
01-06-2020 04:46 AM - edited 01-06-2020 04:49 AM
Hello
I suppose you can do it from the host pc that you want to deny access with a fw rule or something but not from the L2 switch
To negate RDP from a host on the network the access-list has to be on a routed (l3) interface of the device performing the routing, The L3 interface on a L2 switch is just for mgt access to the switch nothing more.
01-06-2020 04:56 AM
L2 Switch NO in short answer, ACL required to be applied always @ L3 interface where the traffic passing.
01-03-2020 08:32 AM - edited 01-03-2020 08:34 AM
what is the gateway for this IP address : 10.230.1.99 ( i do not believe this is part of the subnet of VLAN7)
can you post ipconfig/all from PC output ?
01-04-2020 03:15 AM
ip default-gateway 10.230.7.254
I have posted a config above
01-03-2020 12:26 PM - edited 01-03-2020 02:03 PM
Hello
@ohareka70 wrote:
Hello,
I am trying to block access from switch on vlan7 outbound for tcp/3389. My IP is 10.230.1.99
interface Vlan7
ip address 10.230.1.220 255.255.255.192
ip access-group BLOCK_RDP in
ip access-group BLOCK_RDP out
ip access-list extended BLOCK_RDP
deny tcp any any eq 3389
deny udp any any eq 3389
permit ip any any
I am not getting any matches though and RDP access is still working
#sh ip access-lists
Extended IP access list BLOCK_RDP
10 deny tcp any any eq 3389
30 deny udp any any eq 3389
40 permit ip any any (151 matches)
Reason being the host is in the wrong subnet for vlan 7 so the acl appended to the svi vlan 7 inst being matched for that host:
10.230.1.99/26 - hosts 10.230.1.66 -126
10.230.1.220/26 - hosts 10.230.1.193 -254 = vlan 7
01-04-2020 03:14 AM
Paul,
I have changed the IP address to .70 now but still not hits for blocking port 3389
I have posted the config if you dont mind taking a look
SW03#sh run
version 15.2
no ip source-route
no ip gratuitous-arps
vtp domain ttttt
vtp mode transparent
mls qos
vlan 2-7,9,12,14-16
!
vlan 21
name WIFI_USRS
!
vlan 257
name voice
!
vlan 500-501
!
lldp run
interface GigabitEthernet1/0/1
description Phone and PC
switchport access vlan 7
switchport mode access
switchport voice vlan 257
priority-queue out
no snmp trap link-status
mls qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
!
etc
interface GigabitEthernet1/0/49
description primary uplink
switchport trunk allowed vlan 1,7,8,20,21,257
switchport mode trunk
interface GigabitEthernet1/0/50
description Sw-L3-01
switchport mode trunk
interface Vlan1
description Mgmt VLAN
ip address 10.230.31.7 255.255.255.0 secondary
ip address 10.230.7.198 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
interface Vlan7
ip address 10.230.1.70 255.255.255.192
ip access-group BLOCK_RDP in
ip access-group BLOCK_RDP out
ip default-gateway 10.230.7.254
ip access-list extended BLOCK_RDP
deny tcp any any eq 3389
deny udp any any eq 3389
permit ip any any
access-list 11 permit 10.230.1.99
vstack
01-04-2020 03:24 AM
Hello,
what is the target IP address for the RDP traffic that is supposed to be blocked ? Are the 'ip any any' hits increasing in sync with your attempts to connect through RDP ? Do a 'debug ip packet' and post the output here during an attempt to connect through RDP...
01-04-2020 03:33 AM - edited 01-04-2020 03:35 AM
Hello
do you have ip routing enabled on the switch - can your host ping all the l3 svi's of the switch
How are you testing this? - a telnet session on port 3389 to the svi 7 of the switch and if so how have you created a rdp session on the switch?
or do you have an additional host on this vlan that is rdp active?
01-04-2020 03:58 AM
Yes - i can ping all SVI's which are on the layer 3 distribution switch (next hop)
Show access-lists
Extended IP access list BLOCK_RDP
10 deny tcp any any eq 3389
30 deny udp any any eq 3389
40 permit ip any any (9821 matches) THIS IS INCREASING
BRECOMSW03#debug ip packet
IP packet debugging is on
NOTHING SHOWING
Maybe the problem is i am connected on this switch with my laptop via port 37 and i am trying to block microsoft rdp access from my laptop to 10.224.3.157 but though i could do it at switch level
01-04-2020 04:31 AM
Hello,
where is the Vlan for 10.224.3.157 ? You are missing something fundamental. Post the full running configuration of the switch (sh run)...
01-04-2020 06:28 AM
This IP is from a different Office. I can ping that IP and remote on the server ok. What i want to do is restrict tcp/3389 from the local switch to it. Is that possible?
01-04-2020 07:02 AM
Try and apply the access list to the Vlan 1 interface:
interface Vlan1
description Mgmt VLAN
ip address 10.230.31.7 255.255.255.0 secondary
ip address 10.230.7.198 255.255.255.192
ip access-group BLOCK_RDP in
ip access-group BLOCK_RDP out
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
01-06-2020 02:49 AM
Sorry but that didnt work
01-04-2020 08:35 AM
ok Not sure you hit the right gateway here.
here is my understanding and like to know more inputs from you :
PC has IP address - 10.230.1.99
Which is connected same Switch port 37 ( can you post the Port 37 config ) - suggest to post full config of the switch. ( show run)
what is the 10.230.1.99 gateway (is this static configured or getting from DHCP) - can you post ipconfig /all screenshot
from PC can you also send the output traceroute 10.224.3.157
01-06-2020 04:14 AM
01-04-2020 08:51 AM - edited 01-06-2020 03:11 AM
Hello
@ohareka70 wrote:Maybe the problem is i am connected on this switch with my laptop via port 37 and i am trying to block microsoft rdp access from my laptop to 10.224.3.157 but though i could do it at switch level
You should be able to and that acl looks applicable to do so also for inter-vlan routing! you may need to apply the acl to the vlan that is connecting upstream towards your wan, however can you first clarify ---
You have a host 10.230.1.99/26 in a access port assigned to vlan 7 pointing to a D/G 10.230.1.70/26 which is the L3 SVI of vlan 7 that resides on the L3 switch and you are testing a RDP connection initiated from this host 10.230.1.99 towards 10.224.3.157- correct ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide