08-24-2011 07:32 AM
I am looking for the best way to block egress NetBIOS traffic on a single port of a FCX624S. Would it be best to block the TCP and UDP ports 137 & 139 for NetBIOS? Or is there a better and known way to acomplish this?
08-24-2011 02:41 PM
Unless there's a change in a future version, the FCX only supports inbound (ingress) ACLs, enforced (though not necessarily applied) at physical ports within a single switch or stack.
You might need to guarantee the IP(s) of the device(s) on the port, perhaps using an inbound ACL (and possibly DHCP reservations). Then, to all OTHER ports, apply a second ACL which blocks the NetBios traffic to the guaranteed IP(s). Using a range-based command like int e 1/1/1 to 1/1/47 helps, but it's still ugly.
08-25-2011 09:49 AM
I spoke with a local pre-sales engineer and I am told that it does support egress ACL's. If this is false, then I can apply it to the inbound traffic port of the switch. There is not much traffic on this switch nor will there be. This is being used in a two-way communication system and is providing access for dispatch consoles and radio base staions to function properly.
08-29-2011 07:29 AM
I have not had a chance to test this yet, I live in NY and we just got slammed with the Hurricane so I have been out of the office and I am working from home today. I plan on testing it this week, I will keep you posted.
If it does only do ingress, then I believe I could just setup the port that I dont want NetBIOS leaving and set it as ingress? In essence block it before it even gets to the designated port? This port does not need NetBIOS at all.
09-02-2011 09:03 AM
Still gotta test it but this is what I am going to try:
access-list 104 deny udp any any range 137 139
access-list 104 permit ip any any
int e 10
ip access-group 104 in
I wont be working on this until the week of the 12'th, keep everyone posted.
09-20-2011 10:24 AM
So this is the outcome, works like a champ:
access-list 101 deny udp any range netbios-ns netbios-ns any
access-list 101 deny udp any range netbios-ns netbios-ssn any
access-list 101 deny udp any range netbios-dgm netbios-ns any
access-list 101 deny udp any range netbios-dgm netbios-ssn any
access-list 101 deny udp any range netbios-ssn netbios-ns any
access-list 101 deny udp any range netbios-ssn netbios-ssn any
access-list 101 deny tcp any range netbios-ssn 137 any
access-list 101 deny tcp any range netbios-ssn netbios-ssn any
access-list 101 permit ip any any
I was only able to apply this to the ingress as expected, thanks for the info.