policy route-map question

01-11-2007

Hi all,

I wan't to block tcp port 2967 in on interface FastEthernet0/7
How shall i do?

Regards Jan Rockstedt

interface FastEthernet0/7
description 100
switchport access vlan 21
switchport mode access
no ip address
speed 100
spanning-tree portfast
spanning-tree bpdufilter enable

interface Vlan21
description 100
ip address 10.220.21.254 255.255.255.0 secondary
ip address 10.21.2.254 255.255.255.0 secondary
ip address 10.220.21.2 255.255.255.0
ip policy route-map SONG

route-map SONG permit 10
match ip address 100
set ip next-hop 172.20.254.2

access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0
0.0.255.255
access-list 100 permit ip any any

01-11-2007

<> wrote in message
news: oups.com...
> Hi all,
>
> I wan't to block tcp port 2967 in on interface FastEthernet0/7
> How shall i do?
>
> Regards Jan Rockstedt
>
> interface FastEthernet0/7
> description 100
> switchport access vlan 21
> switchport mode access
> no ip address
> speed 100
> spanning-tree portfast
> spanning-tree bpdufilter enable
>
> interface Vlan21
> description 100
> ip address 10.220.21.254 255.255.255.0 secondary
> ip address 10.21.2.254 255.255.255.0 secondary
> ip address 10.220.21.2 255.255.255.0
> ip policy route-map SONG
>
> route-map SONG permit 10
> match ip address 100
> set ip next-hop 172.20.254.2
>
> access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
> access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0
> 0.0.255.255
> access-list 100 permit ip any any
>

you cannot block it inbound on f0/7, it is configured as a switchport and
you cannot apply an IP ACL to it, well....you can, but it won't do anything.
You could block it on the vlan interface.

access-list 101 deny tcp any any eq 2967
access-list 101 permit ip any any
int v21
ip access-group 101 out

01-11-2007

Brian V skrev:

> <> wrote in message
> news: oups.com...
> > Hi all,
> >
> > I wan't to block tcp port 2967 in on interface FastEthernet0/7
> > How shall i do?
> >
> > Regards Jan Rockstedt
> >
> > interface FastEthernet0/7
> > description 100
> > switchport access vlan 21
> > switchport mode access
> > no ip address
> > speed 100
> > spanning-tree portfast
> > spanning-tree bpdufilter enable
> >
> > interface Vlan21
> > description 100
> > ip address 10.220.21.254 255.255.255.0 secondary
> > ip address 10.21.2.254 255.255.255.0 secondary
> > ip address 10.220.21.2 255.255.255.0
> > ip policy route-map SONG
> >
> > route-map SONG permit 10
> > match ip address 100
> > set ip next-hop 172.20.254.2
> >
> > access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
> > access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0
> > 0.0.255.255
> > access-list 100 permit ip any any
> >
>
> you cannot block it inbound on f0/7, it is configured as a switchport and
> you cannot apply an IP ACL to it, well....you can, but it won't do anything.
> You could block it on the vlan interface.
>
> access-list 101 deny tcp any any eq 2967
> access-list 101 permit ip any any
> int v21
> ip access-group 101 out

Thanks,

I did try this on the vlan21 first:

access-list 122 deny tcp any any eq 2967
access-list 122 permit tcp any any

But was the deny wrong with only tcp?

//Jan

01-11-2007

<> wrote in message
news: oups.com...
>
> Brian V skrev:
>
>> <> wrote in message
>> news: oups.com...
>> > Hi all,
>> >
>> > I wan't to block tcp port 2967 in on interface FastEthernet0/7
>> > How shall i do?
>> >
>> > Regards Jan Rockstedt
>> >
>> > interface FastEthernet0/7
>> > description 100
>> > switchport access vlan 21
>> > switchport mode access
>> > no ip address
>> > speed 100
>> > spanning-tree portfast
>> > spanning-tree bpdufilter enable
>> >
>> > interface Vlan21
>> > description 100
>> > ip address 10.220.21.254 255.255.255.0 secondary
>> > ip address 10.21.2.254 255.255.255.0 secondary
>> > ip address 10.220.21.2 255.255.255.0
>> > ip policy route-map SONG
>> >
>> > route-map SONG permit 10
>> > match ip address 100
>> > set ip next-hop 172.20.254.2
>> >
>> > access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
>> > access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0
>> > 0.0.255.255
>> > access-list 100 permit ip any any
>> >
>>
>> you cannot block it inbound on f0/7, it is configured as a switchport and
>> you cannot apply an IP ACL to it, well....you can, but it won't do
>> anything.
>> You could block it on the vlan interface.
>>
>> access-list 101 deny tcp any any eq 2967
>> access-list 101 permit ip any any
>> int v21
>> ip access-group 101 out
>
> Thanks,
>
> I did try this on the vlan21 first:
>
> access-list 122 deny tcp any any eq 2967
> access-list 122 permit tcp any any
>
> But was the deny wrong with only tcp?
>
> //Jan
>

all udp will be dropped as well as all icmp

01-12-2007

Usually last line in an access-list is "permit ip any any". If you permit
TCP only, you may (and will) block all "internal stuff" like multicast,
broadcast, UDP, etc.

Good luck,

Mike
------
Cisco IP Phone PC Headset Adapters
www.ciscoheadsetadapter.com

<> wrote in message
news: oups.com...
>
>I did try this on the vlan21 first:
>
>access-list 122 deny tcp any any eq 2967
>access-list 122 permit tcp any any
>
>But was the deny wrong with only tcp?
>

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Policy map using policy map	Geoffrey Sinclair	Cisco	1	07-27-2009 09:31 AM
Default Domain Policy vs Default Domain Controller Policy	Tyler Cobb	MCSE	6	10-19-2005 09:36 PM
Default Domain Policy vs. Default Domain Controller Policy	Tyler Cobb	MCSA	1	10-09-2005 03:42 PM
PIX question Policy NAT - quite urgent -	AM	Cisco	4	03-15-2005 08:42 AM
Re: QoS Policy Question & Recommendations	Ben	Cisco	1	11-18-2004 04:46 AM