! Default Broadcast filter configuration for Catalyst 3550 Edge Switches ! $Id$ ! !! Access Control Lists for matching packets ! ! AppleTalk no mac access-list extended vlan_block_appletalk_ether mac access-list extended vlan_block_appletalk_ether permit any any aarp permit any any appletalk exit ! ! Allow IP Fragments no ip access-list extended vlan_allow_ip_fragments ip access-list extended vlan_allow_ip_fragments permit ip any any fragments exit ! ! Block IPv6 no ip access-list extended vlan_block_ipv6_ip ip access-list extended vlan_block_ipv6_ip remark IPv6 permit 41 any any remark IPv6-route permit 43 any any remark IPv6-frag permit 44 any any remark IPv6-icmp permit 58 any any remark IPv6-nonxt permit 59 any any remark IPv6-opts permit 60 any any exit ! ! Block Multicast DNS advertisements no ip access-list extended vlan_block_mdns ip access-list extended vlan_block_mdns remark Drop Multicast DNS announcements permit udp any host 224.0.0.251 eq 5353 permit tcp any host 224.0.0.251 eq 5353 permit udp any host 239.255.255.253 eq 427 permit tcp any host 239.255.255.253 eq 427 exit ! ! IPP broadcasts no ip access-list extended vlan_block_ipp_rogue ip access-list extended vlan_block_ipp_rogue permit udp any any eq 631 exit ! ! Rogue DHCP servers no ip access-list extended vlan_block_dhcp_rogue ip access-list extended vlan_block_dhcp_rogue remark Allow Suffield servers to broadcast deny udp host 172.30.0.2 eq bootps any eq bootpc deny udp host 172.30.0.3 eq bootps any eq bootpc deny udp host 172.24.48.4 eq bootps any eq bootpc remark Allow DHCP helper relay addresses (gateway addresses) deny udp host 172.16.0.1 eq bootps any eq bootpc deny udp host 172.16.32.1 eq bootps any eq bootpc deny udp host 172.16.64.1 eq bootps any eq bootpc deny udp host 172.16.96.1 eq bootps any eq bootpc deny udp host 172.16.128.1 eq bootps any eq bootpc deny udp host 172.17.0.1 eq bootps any eq bootpc deny udp host 172.17.32.1 eq bootps any eq bootpc deny udp host 172.17.64.1 eq bootps any eq bootpc deny udp host 172.17.96.1 eq bootps any eq bootpc deny udp host 172.17.128.1 eq bootps any eq bootpc deny udp host 172.18.0.1 eq bootps any eq bootpc deny udp host 172.18.32.1 eq bootps any eq bootpc deny udp host 172.18.64.1 eq bootps any eq bootpc deny udp host 172.18.96.1 eq bootps any eq bootpc deny udp host 172.18.128.1 eq bootps any eq bootpc deny udp host 172.19.0.1 eq bootps any eq bootpc deny udp host 172.19.32.1 eq bootps any eq bootpc deny udp host 172.19.64.1 eq bootps any eq bootpc deny udp host 172.19.96.1 eq bootps any eq bootpc deny udp host 172.19.128.1 eq bootps any eq bootpc deny udp host 172.30.0.1 eq bootps any eq bootpc deny udp host 172.31.0.1 eq bootps any eq bootpc remark Old VLAN allow deny udp host 172.22.0.1 eq bootps any eq bootpc deny udp host 172.22.16.1 eq bootps any eq bootpc deny udp host 172.22.32.1 eq bootps any eq bootpc deny udp host 172.22.48.1 eq bootps any eq bootpc deny udp host 172.22.64.1 eq bootps any eq bootpc deny udp host 172.22.80.1 eq bootps any eq bootpc deny udp host 172.22.96.1 eq bootps any eq bootpc deny udp host 172.22.112.1 eq bootps any eq bootpc deny udp host 172.22.128.1 eq bootps any eq bootpc deny udp host 172.22.144.1 eq bootps any eq bootpc deny udp host 172.22.160.1 eq bootps any eq bootpc deny udp host 172.22.176.1 eq bootps any eq bootpc deny udp host 172.24.0.1 eq bootps any eq bootpc deny udp host 172.24.32.1 eq bootps any eq bootpc deny udp host 172.24.48.1 eq bootps any eq bootpc deny udp host 172.24.64.1 eq bootps any eq bootpc deny udp host 172.24.80.1 eq bootps any eq bootpc deny udp host 172.28.0.1 eq bootps any eq bootpc deny udp host 172.28.32.1 eq bootps any eq bootpc deny udp host 172.28.48.1 eq bootps any eq bootpc deny udp host 172.28.64.1 eq bootps any eq bootpc remark Prevent all unauthorized clients from broadcasting permit udp any eq bootps any eq bootpc exit ! ! Rogue IP addresses no ip access-list extended vlan_block_ip_rogue ip access-list extended vlan_block_ip_rogue remark Allow traffic to/from our internal addresses deny ip 172.16.0.0 0.15.255.255 any deny ip any 172.16.0.0 0.15.255.255 remark Allow multicast traffic (224.0.0.0/4) deny ip 224.0.0.0 15.255.255.255 any deny ip any 224.0.0.0 15.255.255.255 remark Allow anyone to make a DHCP request deny udp any eq bootpc any eq bootps remark Allow retarded Xbox LAN games deny udp host 0.0.0.1 eq 3074 host 255.255.255.255 eq 3074 deny udp host 0.0.0.1 eq 3074 host 0.0.0.1 eq 3074 remark Prevent non-Suffield IP addresses from getting on the network permit ip any any exit ! ! Default "any" match for IP no ip access-list extended vlan_allow_ip_any ip access-list extended vlan_allow_ip_any permit ip any any exit ! ! Default "any" match for non-IP no mac access-list extended vlan_allow_mac_any mac access-list extended vlan_allow_mac_any permit any any exit ! ! !! VLAN Access Map making policy decisions based on the ACLs ! no vlan access-map vlan_broadcast_suppress ! vlan access-map vlan_broadcast_suppress 1100 match mac address vlan_block_appletalk_ether action drop exit ! vlan access-map vlan_broadcast_suppress 2100 match ip address vlan_allow_ip_fragments action forward exit ! vlan access-map vlan_broadcast_suppress 3100 match ip address vlan_block_dhcp_rogue action drop exit ! vlan access-map vlan_broadcast_suppress 3200 match ip address vlan_block_ipp_rogue action drop exit ! vlan access-map vlan_broadcast_suppress 3300 match ip address vlan_block_mdns action drop exit ! vlan access-map vlan_broadcast_suppress 3400 match ip address vlan_block_ipv6_ip action drop exit ! vlan access-map vlan_broadcast_suppress 3500 match ip address vlan_block_ip_rogue action drop exit ! ! Default to allow IP traffic not explicitly dropped vlan access-map vlan_broadcast_suppress 65533 match ip address vlan_allow_ip_any action forward exit ! ! Default to allow Ethernet traffic not explicitly dropped vlan access-map vlan_broadcast_suppress 65534 match mac address vlan_allow_mac_any action forward exit ! !! Apply the VLAN access map to all internal VLANS ! vlan filter vlan_broadcast_suppress vlan-list 11 - 899 !