https://community.extremenetworks.com/t5/extremeswitching-exos-switch/transit-acl-on-l3-routing-switch/m-p/19024#M923 Does anyone happen to have a transit ACL on a publicly routed ExOS switch?<BR /> <BR /> I'm using an X440 stack as an internet gateway for a customer. <BR /> <BR /> I did create an access profile for all of the management profiles only permitting certain IP ranges to gain access. <BR /> <BR /> I'm just looking for an ACL that will block SSH and port scans and what not from even discovering the gateway IP. <BR /> <BR /> The SSH attempts fill the logs up. If I do a port scan on the router this comes up:<BR /> 21/tcp open ftp<BR /> <BR /> 22/tcp open ssh<BR /> <BR /> 113/tcp filtered ident<BR /> <BR /> 135/tcp filtered msrpc<BR /> <BR /> 139/tcp open netbios-ssn<BR /> <BR /> 445/tcp open microsoft-ds<BR /> <BR /> 554/tcp open rtsp<BR /> <BR /> 593/tcp filtered http-rpc-epmap<BR /> <BR /> 7070/tcp open realserver<BR /> <BR /> I dont mind if it responds to ICMP. I just want everything else locked down. <BR /> <BR /> If you have a transit ACL template I'd love a copy! Obviously I dont want to block ipforwarding or any protocols on any hosts after the router. Thu, 19 Oct 2017 23:17:00 GMT John_Barfield 2017-10-19T23:17:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/transit-acl-on-l3-routing-switch/m-p/19024#M923 Does anyone happen to have a transit ACL on a publicly routed ExOS switch?<BR /> <BR /> I'm using an X440 stack as an internet gateway for a customer. <BR /> <BR /> I did create an access profile for all of the management profiles only permitting certain IP ranges to gain access. <BR /> <BR /> I'm just looking for an ACL that will block SSH and port scans and what not from even discovering the gateway IP. <BR /> <BR /> The SSH attempts fill the logs up. If I do a port scan on the router this comes up:<BR /> 21/tcp open ftp<BR /> <BR /> 22/tcp open ssh<BR /> <BR /> 113/tcp filtered ident<BR /> <BR /> 135/tcp filtered msrpc<BR /> <BR /> 139/tcp open netbios-ssn<BR /> <BR /> 445/tcp open microsoft-ds<BR /> <BR /> 554/tcp open rtsp<BR /> <BR /> 593/tcp filtered http-rpc-epmap<BR /> <BR /> 7070/tcp open realserver<BR /> <BR /> I dont mind if it responds to ICMP. I just want everything else locked down. <BR /> <BR /> If you have a transit ACL template I'd love a copy! Obviously I dont want to block ipforwarding or any protocols on any hosts after the router. Thu, 19 Oct 2017 23:17:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/transit-acl-on-l3-routing-switch/m-p/19024#M923 John_Barfield 2017-10-19T23:17:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/transit-acl-on-l3-routing-switch/m-p/19025#M924 Hi John,<BR /> <BR /> I do not have an example, but can try to describe the general idea I would use: you could create an ACL that denies anything you do not need (you might want to allow ICMP) directed <I>at the gateway IP</I> (both v4 and v6 if applicable) and bind this to your outside interface. Traffic through the router is never sent to the router (if it is sent to the router, it is not passed on to other devices).<BR /> <BR /> I would suggest you look into using the management port (VR-Mgmt) for management and restricting all management protocols to use that VR.<BR /> <BR /> Thanks,<BR /> Erik Fri, 20 Oct 2017 12:57:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/transit-acl-on-l3-routing-switch/m-p/19025#M924 Erik_Auerswald 2017-10-20T12:57:00Z