Catalyst 3560 Port Blocking

quasimodo9911 · ‎12-15-2009

Hello Folks,

I am using a Catalyst 3560 and I want to block TCP and UDP ports on it. I've read that it is only possible to block incoming traffic on ports. Is that true? I am not sure, how to do this exactly. At the manual for the switch, there are two ways I can think of, that they will give me the success I want to get.

The first one is ACL. I want to get all incomming traffic on a specifig port, for example port 1863, blocked.

Switch# configure terminal

Switch (config) # access-list 102 deny tcp any any eq 1863

Switch (config) # access-list 102 permit tcp any any

Switch (config) # end

I used 102 because it is an extended IP, but I am not quite sure. What can I use IP standard, IP extended, IP standard (expanded range) or IP extended (expanded range) for this? Is the number I use in this range for each of one, used by random decission? Further I want to block any source IP using this port and for the delivery I want to block any destination. Should this work?

Another way I found on the manual is blocking flooded traffic on port.

Switch# configure terminal

Switch (config) # interface gigabitethernet0/1

Switch (config-if) # switchport block multicast

Switch (config-if) # switchport block unicast

Switch (config-if) # end

About this configuration I am absolutely in the dark. This is just an example from the manual. Which interface do I have to use to make the rule for the complete network and how can I find it (command)? Do the switchport block multicast and unicast commands have parameters, e.g. I think of switchport block multicast tcp 1863?

Thanks for help.

Cheers

Giuseppe Larosa · ‎12-16-2009

Hello Hans,

the first thing is to understand what the port is doing?

is the port configured as a switchport like

int gi0/1

switchport

swithcport mode access

then this means that it is an OSI layer2 port

an IP access-list is able to process L3 and above information and should be applied to a L3 interface.

If you need to use an extended ACL to specify a TCP port you can use the 100-199 or the equivalent extended range.

Standard ACLs can only match on source address.

the commands switchport block applies to multicast and unknown unicast in order to avoid flooding that for unknown unicast MAC destinations the frame has to be sent out all ports in the same vlan

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swtrafc.html#wp1087814

Note:

TCP and multicast are not good companions:

TCP implies sessions and cannot be used with multicast.

if you are dealing with multicast you are dealing with UDP packets.

Hope to help

Giuseppe

quasimodo9911 · ‎12-16-2009

Thanks for this answer. Can I use the ACL setting than?

Giuseppe Larosa · ‎12-16-2009

Hello Hans,

you can use only inbound IP ACLs on a L2 switched port

see

You can apply ACLs only to inbound Layer 2 interfaces. Note these guidelines:

•When controlling access to an interface, you can use a named or numbered ACL.

•If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN. Incoming packets received on the Layer 2 port are always filtered by the port ACL.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swacl.html#wp1285654

Hope to help

Giuseppe