Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access List & GSR

I have a GSR 12008. I have applied an access-list to serveral of the interfaces to prevent the latest UPNP exploit from crossing subnets. However, the access-list is not working. I can still see port 1900 from either side or the router. The access-list and relevent config follows:

access-list 102 deny udp any any eq 1900 log-input

access-list 102 deny tcp any any eq 1900 log-input

access-list 102 permit udp any any neq 1900

access-list 102 permit tcp any any

access-list 102 permit icmp any any

interface GigabitEthernet0/0

ip address 10.10.20.1 255.255.255.128

ip access-group 102 in

no ip directed-broadcast

ip pim sparse-mode

ip mroute-cache distributed

no negotiation auto

!

interface GigabitEthernet1/0

ip address 10.10.20.129 255.255.255.128

ip access-group 102 in

no ip directed-broadcast

ip pim sparse-mode

ip mroute-cache distributed

no negotiation auto

!

interface GigabitEthernet2/0

ip address 10.10.10.1 255.255.255.0

ip access-group 102 in

no ip directed-broadcast

ip pim sparse-mode

ip mroute-cache distributed

no negotiation auto

2 REPLIES
Silver

Re: Access List & GSR

debug IP packet detail will show you what your access-list is doing or not.

New Member

Re: Access List & GSR

Check the errata for the GSRs also, they've had bugs in the handleing of ACLs. That's one reason my org went with a different model.

122
Views
0
Helpful
2
Replies