vi no67udp.pol
(use a pol extension)
(ls command will list the files/configs on the XOS switch...linux) The following is needed in the policy (I add count so I can see the number of packet hits...it's not required):
entry drop1 {
if match all {
protocol udp;
source-port 67;
} then {
deny;
count drop1;
}
}
entry drop2{
if match all {
protocol udp;
destination-port 67;
} then {
deny;
count drop2;
}
}
After you've wq that (if you're doing vi) then you're ready to apply the policy/access-list. Enter the following commands:
check policy no67udp
(to make sure there are no errors and don't use .pol extension)
Next, apply to the ports:
configure access-list no67udp port 1-11,13-24 (or 26)
(it should respond with done!)
You can then show access-list or show access-list counter to see
if there are any hits.
To remove the access-list enter:
unconfigure access-list no67udp
You can edit the access-list while it's running and then after the
check policy command you will need to enter:
refresh policy no67udp
to make the changes take affect. I think that's all you need.
There's probably a better way and someone
with more experience than me might know. But
this should deny all 67 udp packets from all ports but 12.
