HPE Community
Comware Based
1822896 Members
3668 Online
109645 Solutions
New Discussion

Blocking UDP traffic on a 4500G

 
Mitesh324
Occasional Advisor

‎11-18-2009 09:14 AM

‎11-18-2009 09:14 AM

Blocking UDP traffic on a 4500G

Take #2  Lesson 1 the interwebs can and shall eat your words at any time it so feels the need to.  Copy is your friend.



Currently I have an issue where I am trying to block UDP traffic on a 4500G switch, which has been upgraded with the latest firmware and bootrom (5.02.p2, 5.01).  In place I have storm-constrain setup to block multicast (the UDP traffic is coming through as a multicast feed) with a threshold of 1 to 1 kbps, 1% ratio, or 1 pps.  When I look at Ethereal, it shows UDP traffic to be around 15%, with UDP packets being approximately 1.3KBs. I am trying to just block all UDP traffic.  My feed contains UDP traffic and I want to block the traffic for ports that are outgoing.  My best guess for what to do next is configure an ACL.  I have thourghly searched through the manual for any information on protocol blocking, UDP blocking, and I was unable to find anything useful, I might not be using find with the right phrases/words.  Is there a command line where I essentially go in and type block UDP 1/0/16, or something more complex.  Also after typing this up I wonder if the UDP traffic is not just coming through multicast only and if its coming in as broadcast or some other cast.  Any help would greatly be appreciated.



0 Kudos
7 REPLIES 7
Fred_Mancen_1
Super Advisor

‎11-18-2009 09:57 AM

‎11-18-2009 09:57 AM

Re: Blocking UDP traffic on a 4500G

Hi, Mitesh.



I think that the better way to accomplish what you want is to create an ACL that blocks the UDP traffic and apply it to the port you mentioned. I don't know any port command that can perform this action.



HTH



Regards,
Fred Mancen
0 Kudos
Mitesh324
Occasional Advisor

‎11-18-2009 09:59 AM

‎11-18-2009 09:59 AM

Re: Blocking UDP traffic on a 4500G

I'll give that a shot.  Thanks for that help.



0 Kudos
Mitesh324
Occasional Advisor

‎11-18-2009 02:01 PM

‎11-18-2009 02:01 PM

Re: Blocking UDP traffic on a 4500G

Well I made an ACL:





acl number 3000 name UDPBlock



rule 0 deny UDP





However I am still getting UDP traffic coming through.  I want to just block UDP traffic from 2 ports on the switch, port 1 and port 13.  Anyone able to point out what I did wrong above?  My setup is I have a line coming in that carrys UDP.  Only two ports on the switch need to not have UDP traffic.  The rest are fine to allow multicast/UDP to come through.



 



0 Kudos
Fred_Mancen_1
Super Advisor

‎11-19-2009 07:09 AM

‎11-19-2009 07:09 AM

Re: Blocking UDP traffic on a 4500G

In what traffic direction the ACL was implemented? Inbound or outbound traffic?



Regards,
Fred Mancen
0 Kudos
Mitesh324
Occasional Advisor

‎11-19-2009 08:17 AM

‎11-19-2009 08:17 AM

Re: Blocking UDP traffic on a 4500G

At first I did it both ways source and destination like so:



 



rule 0 deny UDP destination-port eq 16 source-port eq16



 



Reason I chose 16 was that is where I had the laptop connected to, and I assumed when setting it to 16 it would think of the physical port ( or so I thought when I read what it means by source-port), however I changed it when I checked to see what values were used for destination and source -port:



 



rule 0 deny UDP source-port range 1024 1026



 



I chose those ports as that is what ethreal was telling me the packets were coming from.  After applying the rule and saving it, I checked ethreal and traffic was still coming through.  I would really just like to be able to do this



rule 0 deny UDP port eq 16



 



Where 16 would be the actual physical port on the switch.  Thus blocking incoming and outgoing UDP traffic.  Again thanks for the help, its really helping me, understand ACL and such better.



This message was edited by Mitesh324 on 11-19-09 @ 8:20 AM
0 Kudos
Mitesh324
Occasional Advisor

‎11-19-2009 11:18 AM

‎11-19-2009 11:18 AM

Re: Blocking UDP traffic on a 4500G

A quick question to add to this topic, when I do implement a rule or a setting, and I use the save command, the rule or setting takes effect right than, and there is no reason to reboot the switch, I am correct in thinking that?  I ask because the guy I am working with mentioned it and I told him to have to reboot for each time you change a setting or such would cause disruption to the network.



0 Kudos
Mitesh324
Occasional Advisor

‎11-20-2009 12:28 PM

‎11-20-2009 12:28 PM

Re: Blocking UDP traffic on a 4500G

Alright I learned I can block UDP coming into the switch, but I am am not sure if I can block UDP outgoing from the switch.  I want UDP to be able to come into the switch, but block it from going out of the switch on certain physical ports. Is this possible with an ACL rule?



0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.