policy route-map question

Discussion in 'Cisco' started by jan.rockstedt, Jan 11, 2007.

  1. Hi all,

    I wan't to block tcp port 2967 in on interface FastEthernet0/7
    How shall i do?

    Regards Jan Rockstedt

    interface FastEthernet0/7
    description 100
    switchport access vlan 21
    switchport mode access
    no ip address
    speed 100
    spanning-tree portfast
    spanning-tree bpdufilter enable

    interface Vlan21
    description 100
    ip address 10.220.21.254 255.255.255.0 secondary
    ip address 10.21.2.254 255.255.255.0 secondary
    ip address 10.220.21.2 255.255.255.0
    ip policy route-map SONG

    route-map SONG permit 10
    match ip address 100
    set ip next-hop 172.20.254.2

    access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
    access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0
    0.0.255.255
    access-list 100 permit ip any any
     
    jan.rockstedt, Jan 11, 2007
    #1
    1. Advertisements

  2. jan.rockstedt

    Brian V Guest

    you cannot block it inbound on f0/7, it is configured as a switchport and
    you cannot apply an IP ACL to it, well....you can, but it won't do anything.
    You could block it on the vlan interface.

    access-list 101 deny tcp any any eq 2967
    access-list 101 permit ip any any
    int v21
    ip access-group 101 out
     
    Brian V, Jan 11, 2007
    #2
    1. Advertisements

  3. Brian V skrev:
    Thanks,

    I did try this on the vlan21 first:

    access-list 122 deny tcp any any eq 2967
    access-list 122 permit tcp any any

    But was the deny wrong with only tcp?

    //Jan
     
    jan.rockstedt, Jan 11, 2007
    #3
  4. jan.rockstedt

    Brian V Guest

    all udp will be dropped as well as all icmp
     
    Brian V, Jan 11, 2007
    #4
  5. Usually last line in an access-list is "permit ip any any". If you permit
    TCP only, you may (and will) block all "internal stuff" like multicast,
    broadcast, UDP, etc.

    Good luck,

    Mike
     
    headsetadapter.com, Jan 12, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.