How to block traffic to specific udp/tcp ports


Userlevel 2
Hi all,

I try to block traffic on specific tcp/udp ports on my x450a switch
I tried that with an ACL packed in a .pol file

entry udp_acl1{ if { source-address 0.0.0.0/0; protocol udp; destination-port 1119 ; } then { count udp ; deny; } } entry tcp_acl{ if { source-address 0.0.0.0/0; protocol tcp; destination-port 1119; } then { count tcp ; deny; } } entry udp_acl2{ if { source-address 0.0.0.0/0; protocol udp; destination-port 3724 ; } then { count udp ; deny; } } entry tcp_acl2{ if { source-address 0.0.0.0/0; protocol tcp; destination-port 3724 ; } then { count tcp ; deny; } }[/code]
was what i entered - when applying nothing happens and the counters are empty.
Did open the application and see that there is traffic on that ports using netstat.

Did i miss something? do you have some ideas?

Regards,
Peter

9 replies

Userlevel 4
It looks like there is no problem on your policy except duplicated counter name. I just wonder if you applied the ACL on proper port or VLAN which the traffic is entering or outgoing.
You can simply check if there is the traffic on the port or VLAN you applied the ACL just by changing the ACL action from deny to permit and then check the counter. After changing the ACL actions, you may need to refresh the ACL.
Userlevel 4
Looks like you use x450 as L2 switch, not as a router. ACL rules may be applied only to traffic, which is being routed by device.
Userlevel 7
Nick Yakimenko wrote:

Looks like you use x450 as L2 switch, not as a router. ACL rules may be applied only to traffic, which is being routed by device.

EXOS ACLs generally apply to all frames, L2 and L3 does not matter. This is different from EOS (or Cisco) [router] ACLs. The EXOS ACLs work more like EOS policies than EOS ACLs.
Userlevel 4
Nick Yakimenko wrote:

Looks like you use x450 as L2 switch, not as a router. ACL rules may be applied only to traffic, which is being routed by device.

Thanks for clarifying that
Userlevel 6
Hello Peter,

I do not believe the source-address is needed in this case. It won't hurt though. I would recommend giving each entry it's own counter to see if any of the rules are being hit and look into what David mentioned as well.
Userlevel 2
Thanks ill give that a try -just for clarification the counter also runs if there are packets hit by deny right?
Userlevel 6
If it makes it to the then section the counter should increase.
Userlevel 2
the clue was the refresh policy command - after refreshing everything works fine now!
Thx for all your help guys!
Userlevel 4
Peter Kulmbrein wrote:

the clue was the refresh policy command - after refreshing everything works fine now!
Thx for all your help guys!

Great!! Thanks for letting us know the cause. 🙂

Reply