NetBIOS traffic uses SAP values 0xF0 (for commands) and 0xF1 (for responses). Typically, network administrators use these SAP values to filter this protocol. The access list entry depicted below permits NetBIOS traffic and denies everything else (remember the implicit "deny all" at the end of each ACL):
access-list 200 permit 0xF0F0 0x0101
Using the same procedure shown in the previous section, you can determine that the above ACL permits the following Saps: 0xF0 and 0xF1.
On the other hand, if the requirement is to block NetBIOS and allow the rest of the traffic, use this ACL:
I have added the above acl's, however when I scan my network I can see see the ports. I currently have all netbios turned off. However I would like to use NetBIOS for backup perposes. Is it possible to drop connections at the router for the following ports
137,138,139 and 445
So that it is 'safe' to enable NetBIOS. I is it better to just forget NetBIOS and find another backup method
Server Centre Limited (www.servercentre.net)
Exchange 2007 Hosting, Windows/Linux Hosting
here's a access list that should work to block ports instead of SAP packets.
router(config)#access-list 101 deny ip any any eq 137
router(config)#access-list 101 deny ip any any eq 138
router(config)#access-list 101 deny ip any any eq 139
router(config)#access-list 101 deny ip any any eq 445
router(config)#Interface (the external if)
router(config-if)#ip access-group 101 in
You will also want to block port 135 (MS RPC server) as there is a new, nasty DoS attack out for Win2K SP3 that operates by crashing the RPC service.
Jay Sudowski // Handy Networks LLC // Co-Founder & CTO AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network. Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center. Current specials here. Check them out.