Configure IP ACLs to block services

This section details to configure IP ACLs.

Use IP ACLs to block Telnet, HTTP, and Extreme internal ports 7110, 7710, 8008, 9110, and 9710 for IPv4 and IPv6. If SSH access is required, enter seq permit commands to allow access on port 22.

If remote access is required, such as through SCP or LDAP, enter seq permit commands to allow UDP and TCP traffic on ports 1024 through 65535.

Configure IP ACLs usingthe ip access-list command and use the ip access-group command to apply the rules to the management interface.
device(config)# ip access-list extended ccextACL 
device(config-ip-ext)# seq 1 deny tcp any any eq 23 
device(config-ip-ext)#seq 2 deny tcp any any eq 80 
device(config-ip-ext)#seq 5 deny tcp any any eq 7110 
device(config-ip-ext)#seq 6 deny tcp any any eq 7710 
device(config-ip-ext)#seq 7 deny tcp any any eq 8008 
device(config-ip-ext)#seq 8 deny tcp any any eq 9110 
device(config-ip-ext)#seq 9 deny tcp any any eq 9710
device(config-ip-ext)#seq 11 permit tcp any any range 1024 65535
device(config-ip-ext)#seq 12 permit udp any any range 1024 65535 
device(config-ip-ext)#seq 13 permit tcp any any eq 22 
device(config-ip-ext)#seq 14 permit tcp any any eq 830 
device(config-ip-ext)#exit
device(config)# interface management 1/0
device(config-Management-1/0)# ip access-group ccextACL in
device(config)# ipv6 access-list extended ccextACL6 
device(config-ip-ext)# seq 1 deny tcp any any eq 23 
device(config-ip-ext)#seq 2 deny tcp any any eq 80 
device(config-ip-ext)#seq 5 deny tcp any any eq 7110 
device(config-ip-ext)#seq 6 deny tcp any any eq 7710 
device(config-ip-ext)#seq 7 deny tcp any any eq 8008 
device(config-ip-ext)#seq 8 deny tcp any any eq 9110 
device(config-ip-ext)#seq 9 deny tcp any any eq 9710
device(config-ip-ext)#seq 11 permit tcp any any range 1024 65535
device(config-ip-ext)#seq 12 permit udp any any range 1024 65535 
device(config-ip-ext)#seq 13 permit tcp any any eq 22 
device(config-ip-ext)#seq 14 permit tcp any any eq 830 
device(config-ip-ext)#exit
device(config)# interface management 1/0
device(config-Management-1/0)# ipv6 access-group ccextACL6 in

Reference the Extreme SLX-OS Security Configuration Guide, 20.2.1 – ACLs for specific guidance.

device(config)# no ldap-server <host>

9038054-00 Rev AA