|
Question : How to block SMB at the switch ( Cisco 3750G) Cisco Access Controll List ? ACL ?
|
|
Hello,
I have two stacked Cisco 3750G-24T-S switches (acting as one switch), all computers and a few hubs connecting to other computers are connected to them, no outside internet or routers, just the switches, all but one port is set to vlan 10, which all the hosts are plugged into.
Now what i want to do is block all SMB traffic going through the switche (Windows file sharing) TCP port 139, 445, I belive there is somthing called VACL (vlan access control list), but i have no idea how to set it for tcp/ip ports.
Please if any one could help me out, perhaps vlan acls are not the best way...? thankyou in advance..
|
Answer : How to block SMB at the switch ( Cisco 3750G) Cisco Access Controll List ? ACL ?
|
|
hello,
VLAN maps , unlike ACL's , permit traffic unless stated differently ; the default action for VLAN maps is to forward, and this action is taken if the packet does not match any of the entries within the map.They also have no direction (input-output). Using VLAN maps, you create an ACL to define the traffic that you want to match and basing on that list you set the action in the map for packets that match the ACL's entries. In your case :
Defining the traffic
Switch(config)#ip access-list extended tcp_smb
Switch(config-ext-acl)#permit tcp any any eq 445
Switch(config-ext-acl)#permit tcp any any eq 139
Switch(config-ext-acl)#exit
Telling the VLAN map what to do with it:
Switch(config)#vlan access-map map1 10
Switch(config-access-map)#match ip address tcp_smb
Switch(config-access-map)#action drop
Switch(config-access-map)#exit
(The next statement that you wrotte it is not needed, the VLAN map will forward all other packets not matching the ACL )
Applying the map to the switch:
Switch(config)# vlan filter map1 vlan-list 10
Show commands :
Switch#show vlan filter [access-map name | vlan vlan-id]
Switch#show vlan access-map [mapname]
I hope this helps
|
|
|
|
|
