Transit ACL on L3 routing switch

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
  • (Edited)
Does anyone happen to have a transit ACL on a publicly routed ExOS switch?

I'm using an X440 stack as an internet gateway for a customer. 

I did create an access profile for all of the management profiles only permitting certain IP ranges to gain access. 

I'm just looking for an ACL that will block SSH and port scans and what not from even discovering the gateway IP. 

The SSH attempts fill the logs up. If I do a port scan on the router this comes up:

21/tcp   open     ftp

22/tcp   open     ssh

113/tcp  filtered ident

135/tcp  filtered msrpc

139/tcp  open     netbios-ssn

445/tcp  open     microsoft-ds

554/tcp  open     rtsp

593/tcp  filtered http-rpc-epmap

7070/tcp open     realserver

I dont mind if it responds to ICMP. I just want everything else locked down. 

If you have a transit ACL template I'd love a copy! Obviously I dont want to block ipforwarding or any protocols on any hosts after the router. 
Photo of John Barfield

John Barfield

  • 280 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hi John,

I do not have an example, but can try to describe the general idea I would use: you could create an ACL that denies anything you do not need (you might want to allow ICMP) directed at the gateway IP (both v4 and v6 if applicable) and bind this to your outside interface. Traffic through the router is never sent to the router (if it is sent to the router, it is not passed on to other devices).

I would suggest you look into using the management port (VR-Mgmt) for management and restricting all management protocols to use that VR.