policy route-map question
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by jan.rockstedt@gmail.com on January 11, 2007, 10:54 am
Please log in for more thread options I wan't to block tcp port 2967 in on interface FastEthernet0/7 How shall i do? Regards Jan Rockstedt interface FastEthernet0/7 description 100 switchport access vlan 21 switchport mode access no ip address speed 100 spanning-tree portfast spanning-tree bpdufilter enable interface Vlan21 description 100 ip address 10.220.21.254 255.255.255.0 secondary ip address 10.21.2.254 255.255.255.0 secondary ip address 10.220.21.2 255.255.255.0 ip policy route-map SONG route-map SONG permit 10 match ip address 100 set ip next-hop 172.20.254.2 access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 access-list 100 permit ip any any | |||||||||||||||||||
|
Posted by Brian V on January 11, 2007, 11:47 am
Please log in for more thread options you cannot block it inbound on f0/7, it is configured as a switchport and you cannot apply an IP ACL to it, well....you can, but it won't do anything. You could block it on the vlan interface. access-list 101 deny tcp any any eq 2967 access-list 101 permit ip any any int v21 ip access-group 101 out | |||||||||||||||||||
|
Posted by jan.rockstedt@gmail.com on January 11, 2007, 3:21 pm
Please log in for more thread options
Brian V skrev: > > Hi all,
> > > > I wan't to block tcp port 2967 in on interface FastEthernet0/7 > > How shall i do? > > > > Regards Jan Rockstedt > > > > interface FastEthernet0/7 > > description 100 > > switchport access vlan 21 > > switchport mode access > > no ip address > > speed 100 > > spanning-tree portfast > > spanning-tree bpdufilter enable > > > > interface Vlan21 > > description 100 > > ip address 10.220.21.254 255.255.255.0 secondary > > ip address 10.21.2.254 255.255.255.0 secondary > > ip address 10.220.21.2 255.255.255.0 > > ip policy route-map SONG > > > > route-map SONG permit 10 > > match ip address 100 > > set ip next-hop 172.20.254.2 > > > > access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 > > access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 > > 0.0.255.255 > > access-list 100 permit ip any any > > >
> you cannot block it inbound on f0/7, it is configured as a switchport and > you cannot apply an IP ACL to it, well....you can, but it won't do anything. > You could block it on the vlan interface. > > access-list 101 deny tcp any any eq 2967 > access-list 101 permit ip any any > int v21 > ip access-group 101 out Thanks, I did try this on the vlan21 first: access-list 122 deny tcp any any eq 2967 access-list 122 permit tcp any any But was the deny wrong with only tcp? //Jan | |||||||||||||||||||
|
Posted by Brian V on January 11, 2007, 3:42 pm
Please log in for more thread options
>
> Brian V skrev: > >> > Hi all,
>> > >> > I wan't to block tcp port 2967 in on interface FastEthernet0/7 >> > How shall i do? >> > >> > Regards Jan Rockstedt >> > >> > interface FastEthernet0/7 >> > description 100 >> > switchport access vlan 21 >> > switchport mode access >> > no ip address >> > speed 100 >> > spanning-tree portfast >> > spanning-tree bpdufilter enable >> > >> > interface Vlan21 >> > description 100 >> > ip address 10.220.21.254 255.255.255.0 secondary >> > ip address 10.21.2.254 255.255.255.0 secondary >> > ip address 10.220.21.2 255.255.255.0 >> > ip policy route-map SONG >> > >> > route-map SONG permit 10 >> > match ip address 100 >> > set ip next-hop 172.20.254.2 >> > >> > access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 >> > access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 >> > 0.0.255.255 >> > access-list 100 permit ip any any >> > >>
>> you cannot block it inbound on f0/7, it is configured as a switchport and >> you cannot apply an IP ACL to it, well....you can, but it won't do >> anything. >> You could block it on the vlan interface. >> >> access-list 101 deny tcp any any eq 2967 >> access-list 101 permit ip any any >> int v21 >> ip access-group 101 out >
> Thanks, > > I did try this on the vlan21 first: > > access-list 122 deny tcp any any eq 2967 > access-list 122 permit tcp any any > > But was the deny wrong with only tcp? > > //Jan > all udp will be dropped as well as all icmp | |||||||||||||||||||
|
Posted by headsetadapter.com on January 12, 2007, 10:12 am
Please log in for more thread options Usually last line in an access-list is "permit ip any any". If you permit
TCP only, you may (and will) block all "internal stuff" like multicast, broadcast, UDP, etc. Good luck, Mike ------ Cisco IP Phone PC Headset Adapters www.ciscoheadsetadapter.com >
>I did try this on the vlan21 first: > >access-list 122 deny tcp any any eq 2967 >access-list 122 permit tcp any any > >But was the deny wrong with only tcp? > | |||||||||||||||||||
| Similar Threads | Posted |
| ASA Policy NAT Question | September 14, 2006, 9:12 am |
| Question about NAT (maybe need to use policy NAT)? | June 30, 2008, 6:09 pm |
| policy route-map question | January 11, 2007, 10:54 am |
| Policy Based Routing Question | November 13, 2005, 7:38 pm |
| Policy Routing: Guaranteeing Bandwidth Question | March 27, 2007, 11:23 pm |
| policy based routing for multiple tracking options question | April 9, 2006, 8:42 pm |
| route-map question (how to policy route for all destinations except few subnets?) | August 13, 2005, 2:05 am |
| PIX Policy-NAT | October 17, 2005, 10:50 am |
| Policy NAT | October 15, 2007, 9:06 am |
| GRE & Policy Routing | July 28, 2005, 8:46 am |
| Service Policy | October 13, 2005, 7:41 am |
| ASA Policy NAT not working at all... | September 14, 2006, 11:58 am |
| Traffic policy. | October 2, 2006, 9:04 am |
| Cisco 877 - Policy Map | December 11, 2006, 1:59 pm |
| IOS Upgrading "Policy" | November 20, 2007, 9:33 pm |
>
> I wan't to block tcp port 2967 in on interface FastEthernet0/7
> How shall i do?
>
> Regards Jan Rockstedt
>
> interface FastEthernet0/7
> description 100
> switchport access vlan 21
> switchport mode access
> no ip address
> speed 100
> spanning-tree portfast
> spanning-tree bpdufilter enable
>
> interface Vlan21
> description 100
> ip address 10.220.21.254 255.255.255.0 secondary
> ip address 10.21.2.254 255.255.255.0 secondary
> ip address 10.220.21.2 255.255.255.0
> ip policy route-map SONG
>
> route-map SONG permit 10
> match ip address 100
> set ip next-hop 172.20.254.2
>
> access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
> access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0
> 0.0.255.255
> access-list 100 permit ip any any
>