Re: Need to block UDP Port 10006 on Cisco Cat 2950

tom.last · ‎05-20-2010

I have a need to stop UDP broadcast traffic on port 10006 between 2 ports on a Cisco Catalyst 2950 12 port switch. What is the simplest way to do this ?

Jon Marshall · ‎05-20-2010

Tom

Using acl's applied to the interfaces would work. Click on this link and then select the first link in the search results and scroll down to the section on Network Security acls (Chapter 28) -

2950/2955 configuration guides

Jon

tom.last · ‎05-21-2010

Jon,

this looks like it might well be the answer. now I just need to work out what the syntax is. the devices will be 172.20.23.100 & 172.20.23.105 and the UDP port is port 10006. I'd be happy to block all of this UDP traffic on the whole switch or just on the 2 ports in question whichever is most straightforward.

Tom

Jon Marshall · ‎05-21-2010

tom.last@tdl.ltd.uk

Jon,

this looks like it might well be the answer. now I just need to work out what the syntax is. the devices will be 172.20.23.100 & 172.20.23.105 and the UDP port is port 10006. I'd be happy to block all of this UDP traffic on the whole switch or just on the 2 ports in question whichever is most straightforward.

Tom

Try this -

access-list 101 deny udp host 172.20.23.100 host 172.20.23.105 eq 10006

access-list 101 permit ip any any

access-list 102 deny udp host 172.20.23.105 host 172.20.23.100 eq 10006

access-list 102 permit ip any any

int gi0/1 <---- connected to 172.20.23.100, obviously you need to modify depending on which port the host is connected to

ip access-group 101 in

int gi0/2 <----- connected to 172.23.20.105 with same proviso as above

ip access-group 102 in

Jon

tom.last · ‎05-27-2010

ok switch has arrived and I'm struggling a bit, I can only assign an IP address to either VLAN1 or one of the FastEthernet interfaces (not both), I believe that I need to have an IP address assigned to the interface in order to assign ACLs to that interface. This is evident when I try the IP ACCESS-GROUP command on an interface with no ip address the command is not available.

SO I created 2 ACLs:

access-list 101 deny udp any any eq 10006

access-list 101 deny tcp any any eq 10006

access-list 101 permit ip any any

access-list 102 deny udp any any eq 10006

access-list 102 deny tcp any any eq 10006

access-list 102 permit ip any any

and I have tried to add the IP ACCESS-GROUP to Vlan 1 (as all the interfaces are in VLAN1).

int vlan1

ip access-group 101 in

ip access-group 102 out

I'm sure I'm missing something really obvious but its not working, the broadcast traffic is still going between ports 1 & 2

Help ?

Tom

Message was edited by: Tom Last

Leo Laohoo · ‎05-20-2010

A Cisco c2950 is a layer 2 switch. A layer 2 switch would not know what an IP address is.

Federico Coto Fajardo · ‎05-20-2010

As leo said... a layer 2 switch with know what an IP address is but only for management purposes

(to access the switch itself).

The layer 2 switch will not care about the IPs in terms of passing traffic because is not aware of routing.

Federico.

Jon Marshall · ‎05-20-2010

Leo / Federico

I could be wrong but as far as i know a L2 switch can filter on IP address. Have a look at the configuration guide i sent. A L2 switch does not have to be able to route to recognise IP addresses. Think of the fact that most L2 switches can recognise DSCP values which again are a L3 marking in the IP header.

Jon

Federico Coto Fajardo · ‎05-20-2010

Jon,

You're right! I've fortgotten completely about this.

You can configure ACLs based on L2, L3 or even L4 information on a L2 port on a L2 switch.

Definitely can give that a try.

If there's a layer 3 device I would do it there, if not can implement the ACLs on the L2 ports.

Federico.

Leo Laohoo · ‎05-20-2010

Lousy time to quit Red Bulls before bed. Me baaaaaaaaaaaaaaaaaaaaaaaad.