9/30/2014

Block Windows AD/DHCP/NetBios from Crossing One Network to Another

Create an access-list to block all these Microsoft Windows services ports:

Here's my list that blocks Windows TEST LAB network from messing up the production environment.

access-list 199 deny   tcp any any eq 389
access-list 199 deny   udp any any eq 389
access-list 199 deny   tcp any any eq 636
access-list 199 deny   tcp any any eq 3268
access-list 199 deny   tcp any any eq 3269
access-list 199 deny   tcp any any eq 88
access-list 199 deny   udp any any eq 88
access-list 199 deny   tcp any any eq 445
access-list 199 deny   udp any any eq 445
access-list 199 deny   tcp any any eq 135
access-list 199 deny   udp any any eq 135
access-list 199 deny   tcp any any eq 5722
access-list 199 deny   tcp any any eq 646
access-list 199 deny   udp any any eq 646
access-list 199 deny   udp any any eq netbios-dgm
access-list 199 deny   tcp any any eq 9389
access-list 199 deny   udp any any eq bootps
access-list 199 deny   udp any any eq 2535
access-list 199 deny   udp any any eq netbios-ns
access-list 199 deny   tcp any any eq 139
access-list 199 permit ip any any

Here's the complete lists of ports used by Windows. 
http://technet.microsoft.com/en-us/library/cc875824.aspx
But I only used the above to block my TEST LAB windows environment from crossing over the production network.

Get into interface mode and apply the access list from entering.

interface GigabitEthernet0/2
 no switchport
 ip address 172.16.0.1 255.255.255.252
 ip access-group 199 in
end

done.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)