View Single Post
  #5  
Old 10-16-2013, 07:31 PM
mchaitaniyak mchaitaniyak is offline
Member
.
 
Join Date: Aug 2013
Posts: 3
mchaitaniyak has 10 reputation points
Default Example configuration for IP- based ACL to block all other traffic exept RDP - 3389

Hello creinelt,

Firstly i believe the SW version we have on the ERS 5520 switches is 5.x and above.If it is you can definately consider configuring an Acess Control List (ACL).Which can be applied at port level, in your case on port 1/5 where we have the server connected.

5500 (config)#
qos ip-acl name host src-ip 172.1.1.10/32 protocol 6 src-port-min 3389 src-port-max 3389 update-dscp 18 block tcpcommon

5500 (config)#qos ip-acl name host drop-action enable

5500 (config)#qos acl-assign port 1/5 acl-type ip name host

-> Here we have the ACL name as "host" and i took the liberty to consider the source subnet, from where you might have RDC requests as "172.1.1.10".
-> Protocol 6 is to mention its TCP traffic , as RDP works on TCP 3389.
-> The first two IP-ACL’s are assigned to a block named tcpcommand. Since we
are only allowed up to eight precedence levels, it is a good idea to use block
configuration whenever possible.
-> The third IP-ACL is required to match all other traffic. As the default implicit
action is drop all non-matching traffic, if this command is not entered, all other traffic from 172.1.1.10 would be allowed.

Hope this helps !!!!
Reply With Quote