1. Home
  2. Cisco Systems
  3. policy route-map question

policy route-map question

Hi all,

I wan't to block tcp port 2967 in on interface FastEthernet0/7 How shall i do?

Regards Jan Rockstedt

interface FastEthernet0/7 description 100 switchport access vlan 21 switchport mode access no ip address speed 100 spanning-tree portfast spanning-tree bpdufilter enable

interface Vlan21 description 100 ip address 10.220.21.254 255.255.255.0 secondary ip address 10.21.2.254 255.255.255.0 secondary ip address 10.220.21.2 255.255.255.0 ip policy route-map SONG

route-map SONG permit 10 match ip address 100 set ip next-hop 172.20.254.2

access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.0.0

0.0.255.255 access-list 100 permit ip any any
Reply to
jan.rockstedt
Loading thread data ...

you cannot block it inbound on f0/7, it is configured as a switchport and you cannot apply an IP ACL to it, well....you can, but it won't do anything. You could block it on the vlan interface.

access-list 101 deny tcp any any eq 2967 access-list 101 permit ip any any int v21 ip access-group 101 out

Reply to
Brian V

Brian V skrev:

Thanks,

I did try this on the vlan21 first:

access-list 122 deny tcp any any eq 2967 access-list 122 permit tcp any any

But was the deny wrong with only tcp?

//Jan

Reply to
jan.rockstedt

all udp will be dropped as well as all icmp

Reply to
Brian V

Usually last line in an access-list is "permit ip any any". If you permit TCP only, you may (and will) block all "internal stuff" like multicast, broadcast, UDP, etc.

Good luck,

Mike

------ Cisco IP Phone PC Headset Adapters

formatting link

Reply to
headsetadapter.com

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.