How to block traffic to specific udp/tcp ports
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-06-2016 06:34 AM
Hi all,
I try to block traffic on specific tcp/udp ports on my x450a switch
I tried that with an ACL packed in a .pol file
entry udp_acl1{ if { source-address 0.0.0.0/0; protocol udp; destination-port 1119 ; } then { count udp ; deny; } } entry tcp_acl{ if { source-address 0.0.0.0/0; protocol tcp; destination-port 1119; } then { count tcp ; deny; } } entry udp_acl2{ if { source-address 0.0.0.0/0; protocol udp; destination-port 3724 ; } then { count udp ; deny; } } entry tcp_acl2{ if { source-address 0.0.0.0/0; protocol tcp; destination-port 3724 ; } then { count tcp ; deny; } }
was what i entered - when applying nothing happens and the counters are empty.
Did open the application and see that there is traffic on that ports using netstat.
Did i miss something? do you have some ideas?
Regards,
Peter
I try to block traffic on specific tcp/udp ports on my x450a switch
I tried that with an ACL packed in a .pol file
entry udp_acl1{ if { source-address 0.0.0.0/0; protocol udp; destination-port 1119 ; } then { count udp ; deny; } } entry tcp_acl{ if { source-address 0.0.0.0/0; protocol tcp; destination-port 1119; } then { count tcp ; deny; } } entry udp_acl2{ if { source-address 0.0.0.0/0; protocol udp; destination-port 3724 ; } then { count udp ; deny; } } entry tcp_acl2{ if { source-address 0.0.0.0/0; protocol tcp; destination-port 3724 ; } then { count tcp ; deny; } }
was what i entered - when applying nothing happens and the counters are empty.
Did open the application and see that there is traffic on that ports using netstat.
Did i miss something? do you have some ideas?
Regards,
Peter
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-06-2016 10:17 AM
Hello Peter,
I do not believe the source-address is needed in this case. It won't hurt though. I would recommend giving each entry it's own counter to see if any of the rules are being hit and look into what David mentioned as well.
I do not believe the source-address is needed in this case. It won't hurt though. I would recommend giving each entry it's own counter to see if any of the rules are being hit and look into what David mentioned as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-06-2016 07:32 AM
Looks like you use x450 as L2 switch, not as a router. ACL rules may be applied only to traffic, which is being routed by device.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-06-2016 07:32 AM
Thanks for clarifying that
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-06-2016 07:32 AM
EXOS ACLs generally apply to all frames, L2 and L3 does not matter. This is different from EOS (or Cisco) [router] ACLs. The EXOS ACLs work more like EOS policies than EOS ACLs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-06-2016 06:53 AM
It looks like there is no problem on your policy except duplicated counter name. I just wonder if you applied the ACL on proper port or VLAN which the traffic is entering or outgoing.
You can simply check if there is the traffic on the port or VLAN you applied the ACL just by changing the ACL action from deny to permit and then check the counter. After changing the ACL actions, you may need to refresh the ACL.
You can simply check if there is the traffic on the port or VLAN you applied the ACL just by changing the ACL action from deny to permit and then check the counter. After changing the ACL actions, you may need to refresh the ACL.
