Blocking 8010 port servers communication

rmarulandazapata · ‎03-19-2009

Hi.

How can I block the communication between two servers on port 8010 on a 4506 switch?. I can do it for access lists?

Thanks in advance,

R@M

Jon Marshall · ‎03-19-2009

Yes you can.

If the servers are on different vlans then you can just standard acl's on the L3 vlan interfaces.

If the servers are on the same vlan then you can use vlan maps to restrict access.

See this link for 4500 acl configuration details -

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/secure.html

Jon

rmarulandazapata · ‎03-19-2009

Thank you very much Jon.

then for my case the setup would be:

Switch(config)# ip access-list extended 8010

Switch(config-ext-nacl)# permit udp host x.x.x.x host x.x.x.x eq 8010

Switch(config-ext-nacl)# exit

Next, create a VLAN access map named map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded, as follows:

Switch(config)# vlan access-map map2 10

Switch(config-access-map)# match ip address 8010

Switch(config-access-map)# action drop

Switch(config-access-map)# exit

Switch(config)# ip access-list extended match_all

Switch(config-ext-nacl)# permit ip any any

Switch(config-ext-nacl)# exit

Switch(config)# vlan access-map map2 20

Switch(config-access-map)# match ip address match_all

Switch(config-access-map)# action forward

Then, apply the VLAN access map named map2 to VLAN 1, as follows:

Switch(config)# vlan filter map2 vlan 1

This would block traffic to this port in both directions?

Thanks again,

R@M