Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9608
Views
30
Helpful
23
Replies

Block rdp access on my switch

Go to solution
ohareka70
Level 3
Level 3

‎01-03-2020 08:25 AM

Hello,

I am trying to block access from switch on vlan7 outbound for tcp/3389.  My IP is 10.230.1.99 

 

interface Vlan7

ip address 10.230.1.220 255.255.255.192

ip access-group BLOCK_RDP in

ip access-group BLOCK_RDP out

 

ip access-list extended BLOCK_RDP

deny   tcp any any eq 3389

deny   udp any any eq 3389

permit ip any any

 

access-list 11 permit 10.230.1.99

 

I am not getting any matches though and RDP access is still working

#sh ip access-lists

Extended IP access list BLOCK_RDP
    10 deny tcp any any eq 3389
    30 deny udp any any eq 3389
    40 permit ip any any (151 matches)

 

Labels:
0 Helpful
23 Replies 23

Go to solution
ohareka70
Level 3
Level 3
In response to paul driver

‎01-04-2020 09:31 AM

You have a host 10.230.1.99/26 in a access port assigned to vlan 7  YES

 

pointing to a D/G 10.230.70/26 which is the L3 SVI of vlan 7 that resides on the L3 switch - NO the Gateway is 10.230.1.126

 

and you are testing a RDP connection initiated from this host 10.230.1.99 towards 10.224.3.157- correct ? YES

 

SVI on the Layer 3 switch 

interface Vlan7

description Telem Hut Access VLAN 7

ip address 10.230.1.126 255.255.255.192

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ohareka70

‎01-04-2020 10:10 AM

Don't you think you are confusing this thread here?

 

One of the post you VLAN 7 different IP address, another post you have changed to .70

now your post has 10.230.1.126

 

So we are not sure how many devices you have here, how they are connected.

 

best to suggest you, Do post full running-config, rather we always assume here.

 

Are you reading earlier message requested to post traceroute?

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ohareka70

‎01-06-2020 03:58 AM - edited ‎01-06-2020 06:12 AM

Hello

I am wondering if this is an access switch your are trying this on?

Can you confirm is this switch is performing the intervlan routing for your network or is it just an access switch, if the latter then this would be the reason why it isn't  working!

As the access-list needs to be applied to the routing device for your network not any access switch? so either a router or a L3 switch.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to paul driver

‎01-06-2020 04:17 AM

Q How would you block access to RDP from a layer 2 switch

Just ignore my config and if you could advise on how you would do it

My requirements is that i am on a layer 2 access switch and i want to restrict rdp from the user pcs to the server vlan 10.224.x.x which sits on a different switch in the campus lan

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ohareka70

‎01-06-2020 04:46 AM - edited ‎01-06-2020 04:49 AM

Hello

I suppose you can do it from the host pc that you want to deny access with a fw rule or something but not from the L2 switch

To negate RDP from a host on the network the access-list has to be on a routed (l3) interface of the device performing the routing, The L3 interface on a L2 switch is just for mgt access to the switch nothing more.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
ohareka70
Level 3
Level 3
In response to paul driver

‎01-06-2020 05:57 AM

Thanks for your help on this - I might wait till after hours and try this

 

Layer 2 switch Delete - ip access-list extended BLOCK_RDP

 

Layer 3 routing switch

interface Vlan7

ip address 10.230.1.126 255.255.255.192

ip access-group BLOCK_RDP in

ip access-group BLOCK_RDP out

 

ip access-list extended BLOCK_RDP

deny   tcp any any eq 3389

deny   udp any any eq 3389

permit ip any any

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ohareka70

‎01-06-2020 04:56 AM

L2 Switch  NO in short answer, ACL required to be applied always @ L3 interface where the traffic passing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
ohareka70
Level 3
Level 3
In response to balaji.bandi

‎01-06-2020 05:58 AM

Thanks for your help as well

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎01-03-2020 01:30 PM

Hello,

 

on a side note, since you are getting hits on 'ip any any', make sure that your RDP host is actually using port 3389 and not a different one...

0 Helpful
Customers Also Viewed These Support Documents
Top