How to block traffic to specific udp/tcp ports

  • 1
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi all,

I try to block traffic on specific tcp/udp ports on my x450a switch
I tried that with an ACL packed in a .pol file

entry udp_acl1{
 if {
 source-address 0.0.0.0/0;
 protocol udp;
 destination-port 1119 ;
 } then {
 count udp ;
 deny;
 }
  }
entry tcp_acl{
 if {
 source-address 0.0.0.0/0;
 protocol tcp;
 destination-port 1119;
 } then {
 count tcp ;
 deny;
 }
  }
entry udp_acl2{
 if {
 source-address 0.0.0.0/0;
 protocol udp;
 destination-port 3724 ;
 } then {
 count udp ;
 deny;
 }
  }
entry tcp_acl2{
 if {
 source-address 0.0.0.0/0;
 protocol tcp;
 destination-port 3724 ;
 } then {
 count tcp ;
 deny;
 }
  }

was what i entered - when applying nothing happens and the counters are empty.
Did open the application and see that there is traffic on that ports using netstat.

Did i miss something? do you have some ideas?

Regards,
Peter
Photo of Peter Kulmbrein

Peter Kulmbrein

  • 1,178 Points 1k badge 2x thumb

Posted 2 years ago

  • 1
  • 1
Photo of David Choi

David Choi, Employee

  • 1,966 Points 1k badge 2x thumb
It looks like there is no problem on your policy except duplicated counter name. I just wonder if you applied the ACL on proper port or VLAN which the traffic is entering or outgoing.
You can simply check if there is the traffic on the port or VLAN you applied the ACL just by changing the ACL action from deny to permit and then check the counter. After changing the ACL actions, you may need to refresh the ACL.
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,476 Points 2k badge 2x thumb
Looks like you use x450 as L2 switch, not as a router. ACL rules may be applied only to traffic, which is being routed by device.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,458 Points 10k badge 2x thumb
EXOS ACLs generally apply to all frames, L2 and L3 does not matter. This is different from EOS (or Cisco) [router] ACLs. The EXOS ACLs work more like EOS policies than EOS ACLs.
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,476 Points 2k badge 2x thumb
Thanks for clarifying that
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,594 Points 10k badge 2x thumb
Hello Peter,

I do not believe the source-address is needed in this case. It won't hurt though. I would recommend giving each entry it's own counter to see if any of the rules are being hit and look into what David mentioned as well.
Photo of Peter Kulmbrein

Peter Kulmbrein

  • 1,178 Points 1k badge 2x thumb
Thanks ill give that a try -just for clarification the counter also runs if there are packets hit by deny right?
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,594 Points 10k badge 2x thumb
If it makes it to the then section the counter should increase.
Photo of Peter Kulmbrein

Peter Kulmbrein

  • 1,178 Points 1k badge 2x thumb
the clue was the refresh policy command - after refreshing everything works fine now!
Thx for all your help guys!
Photo of David Choi

David Choi, Employee

  • 1,966 Points 1k badge 2x thumb
Great!! Thanks for letting us know the cause. :)