Ethernet Switches & Routers

Reply
Contributor
Posts: 37
Registered: ‎11-07-2010

Blocking NetBIOS

I am looking for the best way to block egress NetBIOS traffic on a single port of a FCX624S.  Would it be best to block the TCP and UDP ports 137 & 139 for NetBIOS?  Or is there a better and known way to acomplish this?

Thanks

Contributor
Posts: 54
Registered: ‎01-27-2010

Re: Blocking NetBIOS

Unless there's a change in a future version, the FCX only supports inbound (ingress) ACLs, enforced (though not necessarily applied) at physical ports within a single switch or stack.

You might need to guarantee the IP(s) of the device(s) on the port, perhaps using an inbound ACL (and possibly DHCP reservations).  Then, to all OTHER ports, apply a second ACL which blocks the NetBios traffic to the guaranteed IP(s).  Using a range-based command like int e 1/1/1 to 1/1/47 helps, but it's still ugly.

Contributor
Posts: 37
Registered: ‎11-07-2010

Re: Blocking NetBIOS

I spoke with a local pre-sales engineer and I am told that it does support egress ACL's.  If this is false, then I can apply it to the inbound traffic port of the switch.  There is not much traffic on this switch nor will there be.  This is being used in a two-way communication system and is providing access for dispatch consoles and radio base staions to function properly.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Blocking NetBIOS

Hi jscott,

     I do not beleive that the FastIrons FCX can do engress ACL's only ingress.  - have you tested it?

Thanks

Michael.

Contributor
Posts: 37
Registered: ‎11-07-2010

Re: Blocking NetBIOS

I have not had a chance to test this yet, I live in NY and we just got slammed with the Hurricane so I have been out of the office and I am working from home today.  I plan on testing it this week, I will keep you posted.

If it does only do ingress, then I believe I could just setup the port that I dont want NetBIOS leaving and set it as ingress?  In essence block it before it even gets to the designated port?  This port does not need NetBIOS at all.

Thanks

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Blocking NetBIOS

ok - good luck with the Hurricane mate - better you then me

Yep you can still block via ingress.

Contributor
Posts: 37
Registered: ‎11-07-2010

Re: Blocking NetBIOS

Still gotta test it but this is what I am going to try:

access-list 104 deny udp any any range 137 139
access-list 104 permit ip any any
int e 10
ip access-group 104 in

I wont be working on this until the week of the 12'th, keep everyone posted.

Contributor
Posts: 37
Registered: ‎11-07-2010

Re: Blocking NetBIOS

So this is the outcome, works like a champ:

access-list 101 deny udp any range netbios-ns netbios-ns any
access-list 101 deny udp any range netbios-ns netbios-ssn any
access-list 101 deny udp any range netbios-dgm netbios-ns any
access-list 101 deny udp any range netbios-dgm netbios-ssn any
access-list 101 deny udp any range netbios-ssn netbios-ns any
access-list 101 deny udp any range netbios-ssn netbios-ssn any
access-list 101 deny tcp any range netbios-ssn 137 any
access-list 101 deny tcp any range netbios-ssn netbios-ssn any
access-list 101 permit ip any any

I was only able to apply this to the ingress as expected, thanks for the info.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.