[c-nsp] ACL does not work??
Michael K. Smith
mksmith at adhost.com
Fri Jul 14 15:45:34 EDT 2006
Hello
On 7/13/06 4:20 AM, "Sergey Velikanov [Intelsoft]" <sv at intelsoft.com> wrote:
> Hi.
>
> We protect customers from typical virus attacs with ACL, config looks like
>
> interface Vlan136
> ip address 192.168.26.209 255.255.255.240
> ip access-group ipprotocols in
> end
>
> interface FastEthernet0/36
> description vlan 136
> switchport access vlan 136
> switchport mode access
> switchport port-security maximum 32
> switchport port-security
> switchport port-security aging time 30
> switchport port-security violation protect
> switchport port-security aging type inactivity
> speed 10
> storm-control broadcast level pps 4k
> storm-control multicast level pps 6k
> storm-control unicast level pps 6k
> storm-control action shutdown
> no cdp enable
> spanning-tree portfast
> spanning-tree bpduguard enable
> ip igmp filter 10
> ip verify source port-security
> end
>
> ip access-list extended ipprotocols
> remark --= Deny windows RPC ports =--
> deny tcp any any eq 139
> deny tcp any any eq 135
> deny tcp any any eq 445
> deny udp any any eq 135
> deny udp any any eq 445
> .....
> permit ip any any
>
<snip>
Do you have IP Routing globally enabled for this switch ('ip routing')? I
think that is a prerequisite for L3 ACL's. Actually, I'm not sure if it's
required, but I've seen the requirement in the real world on similar
devices.
Regards,
Mike
More information about the cisco-nsp
mailing list