Windows XP Isolation - ACL & VLAN

burtmianus · ‎03-25-2014

Hi All,

We're trying to lock down our remaining Windows XP machines to minimise our exposure to unsupported OS, and one thing we're considering is a dedicated VLAN with an ACL that allows only specific traffic through to specific servers (DNS, LDAP, AV updates, Windows File Transfer, WSUS for reporting) - so far I've got this but as PT is not great at testing different ports I was hoping to get some feedback before i stick it on the core and break something:

ip access-list extended WINXP
permit tcp 172.16.233.0 0.0.0.255 host SOPHOS eq 80
permit tcp 172.16.233.0 0.0.0.255 host SOPHOS eq 137
permit tcp 172.16.233.0 0.0.0.255 host SOPHOS eq 138
permit tcp 172.16.233.0 0.0.0.255 host SOPHOS eq 139
permit tcp 172.16.233.0 0.0.0.255 host SOPHOS eq 445
permit tcp 172.16.233.0 0.0.0.255 host DNS eq 53
permit tcp 172.16.233.0 0.0.0.255 host DCG eq 389
permit tcp 172.16.233.0 0.0.0.255 host FILESERVER eq 445
permit tcp 172.16.233.0 0.0.0.255 host FILESERVER eq 139
permit tcp 172.16.233.0 0.0.0.255 host WSUS eq 8530
deny ip any any

int vlan x
ip access-group WINXP in

Any suggestions/feedback would be appreciated.

Jon Marshall · ‎03-25-2014

From my experience with Windows something will definitely break

DNS is UDP normally for DNS queries.

What about DHCP ?

What about general internet or do they do not need it or are they using a proxy ?

What i would do is create a temporary new vlan, create the L3 vlan interface for it, allocate one test XP machine into that vlan and apply the acl and then see what does and doesn't work.

Jon