Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Windows XP Isolation - ACL & VLAN

Hi All,


We're trying to lock down our remaining Windows XP machines to minimise our exposure to unsupported OS, and one thing we're considering is a dedicated VLAN with an ACL that allows only specific traffic through to specific servers (DNS, LDAP, AV updates, Windows File Transfer, WSUS for reporting) - so far I've got this but as PT is not great at testing different ports I was hoping to get some feedback before i stick it on the core and break something:


ip access-list extended WINXP
permit tcp host SOPHOS eq 80
permit tcp host SOPHOS eq 137
permit tcp host SOPHOS eq 138
permit tcp host SOPHOS eq 139
permit tcp host SOPHOS eq 445
permit tcp host DNS eq 53
permit tcp host DCG eq 389
permit tcp host FILESERVER eq 445
permit tcp host FILESERVER eq 139
permit tcp host WSUS eq 8530
deny ip any any


int vlan x
ip access-group WINXP in



Any suggestions/feedback would be appreciated.

  • LAN Switching and Routing
Hall of Fame Super Blue

From my experience with

From my experience with Windows something will definitely break smiley

DNS is UDP normally for DNS queries.

What about DHCP ?

What about general internet or do they do not need it or are they using a proxy ?

What i would do is create a temporary new vlan, create the L3 vlan interface for it, allocate one test XP machine into that vlan and apply the acl and then see what does and doesn't work.


This widget could not be displayed.