Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

new vlan - blocking specific ports

I am confused with what type of ACL to use whether std acl or vacl.

i have to block these ports both inbound and outbound.

what is proper way to create this acl?....deny these ports and then do a permit ip any any at the end? is this a best practice?

here's what i've got to block:

The Microsoft ports need to be blocked in both directions and these are...

UDP and TCP 21, 23, 25, 42, 53, 102, 135, 136, 137, 138, 139, 389, 522, 636, 1494, 1503, 1720, 1731, 1755, 1801, 2701, 2702, 2703, 2704, 2725 , 6666, 6667

TCP 67, 69, 110, 143, 119, 161, 162, 445, 515, 563, 593, 993, 995, 1270, 1433, 1723, 2103, 2105, 2107, 2393, 2394, 2725, 2869, 3268, 3269, 3389, 5000, 51515

UDP 67, 500, 1434, 1645, 1646, 1701, 1813, 1812, 1900, 3527, 4011, 4500

again this is a vlan on which many hosts need to be secured from viruses / worms, etc.

thanks for any input / advice.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: new vlan - blocking specific ports

Hi,

Assuming IOS, you're right, deny the ports you are blocking, and do a permit ip any any at the end.

access-list 115 deny tcp any any eq 21

access-list 115 deny udp any any eq 21

...

..

.

access-list 115 deny udp any any eq 4500

access-list 115 permit ip any any

interface

ip access-group 115 in

ip access-group 115 out

HTH,

Bobby

2 REPLIES
Cisco Employee

Re: new vlan - blocking specific ports

Hi,

Assuming IOS, you're right, deny the ports you are blocking, and do a permit ip any any at the end.

access-list 115 deny tcp any any eq 21

access-list 115 deny udp any any eq 21

...

..

.

access-list 115 deny udp any any eq 4500

access-list 115 permit ip any any

interface

ip access-group 115 in

ip access-group 115 out

HTH,

Bobby

New Member

Re: new vlan - blocking specific ports

Hi,

You are referring to vlans and vacls, therefore I assume you want to do this on your switch. Note that acls on most switch ports can only be applied in the inbound direction. In your case you can use the acl specified earlier (but as specified below) and apply to a vlan access-map, something like..

access-list ......in the acl you shound NOT use the "permit ip any any" at the end as it will match ALL your traffic and be dropped by the first vlan map statement. Just permit in the ACL what you want to be dropped. Therefore the acl will permit the traffic which needs to be dropped and then it will be matched by the vlan map below and dropped accordingly.

Hope this makes sense..

vlan access-map DENY_MS_PORTS 10

action drop

match ip address

vlan access-group DENY_MS_PORTS 20

action forward

The default action is to forward, but I have included it in 20 for demonstration. But you need

vlan access-group DENY_MS_PORTS 20, so that the default action (forward) is applied.

vlan filter DENY_MS_PORTS vlan-list

HTH

E.

119
Views
0
Helpful
2
Replies
CreatePlease to create content