Transit ACL on L3 routing switch


Does anyone happen to have a transit ACL on a publicly routed ExOS switch?

I'm using an X440 stack as an internet gateway for a customer.

I did create an access profile for all of the management profiles only permitting certain IP ranges to gain access.

I'm just looking for an ACL that will block SSH and port scans and what not from even discovering the gateway IP.

The SSH attempts fill the logs up. If I do a port scan on the router this comes up:
21/tcp open ftp

22/tcp open ssh

113/tcp filtered ident

135/tcp filtered msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

554/tcp open rtsp

593/tcp filtered http-rpc-epmap

7070/tcp open realserver

I dont mind if it responds to ICMP. I just want everything else locked down.

If you have a transit ACL template I'd love a copy! Obviously I dont want to block ipforwarding or any protocols on any hosts after the router.

1 reply

Userlevel 7
Hi John,

I do not have an example, but can try to describe the general idea I would use: you could create an ACL that denies anything you do not need (you might want to allow ICMP) directed at the gateway IP (both v4 and v6 if applicable) and bind this to your outside interface. Traffic through the router is never sent to the router (if it is sent to the router, it is not passed on to other devices).

I would suggest you look into using the management port (VR-Mgmt) for management and restricting all management protocols to use that VR.

Thanks,
Erik

Reply