Hey All,
Have a question about ACLs. I have one setup on the SVI of vlan 502 that does the following
Extended IP access list DENY-NETWORKS-IN-ACL
3 deny icmp any 10.5.4.0 0.0.0.255 (133 matches)
4 deny icmp any 10.5.20.0 0.0.0.255 (54 matches)
5 deny icmp any 10.3.20.0 0.0.0.255
10 permit udp any any eq bootps (3726 matches)
20 deny ip any 10.5.4.0 0.0.0.255 (21572 matches)
30 deny ip any 10.5.20.0 0.0.0.255 (115978 matches)
40 deny ip any 10.3.20.0 0.0.0.255
50 permit ip any any (176199809 matches)
On my core switch I have vlan 504 configured with a address of 10.5.4.1 and on my access switch i have vlan 504 configured with an address of 10.5.4.11. These are both the DGs on their respective devices with vlan 504. So everything works great, except that when I do a port scan from the 10.5.2.0 network of the 10.5.4.0 network I get responses from both DGs saying that ports 22 and 443 are open. I would figure that they would be completely blocked but they are responding to the scans. So my questions are...
- Is this normal behavior since they are gateways?
- Is there are way to create an ACL so that they arent responding to scans from the 10.5.2.0 network on 22 and 443?
No comments:
Post a Comment