Limit server access rights to only remote desktop connections on S series switches

The TCP port number of the Windows remote desktop is 3389. For S series switches (except S1700 switches), to limit server access rights to remote desktop connections, perform the following configuration (assume that the server address is and GE1/0/1 is used to connect to the user side):
1. Create a traffic classifier c1. Configure a traffic classification rule to filter the packet with the destination IP address of and the destination TCP port number of 3389.
[Switch] acl number 3000
[Switch-acl-adv-3000] rule permit tcp destination 0 destination-port eq 3389 //Allow users to connect to the remote desktop on the server.
[Switch-acl-adv-3000] rule deny tcp destination 0 //Prevent users from accessing other applications on the server.
[Switch-acl-adv-3000] quit
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match acl 3000
[Switch-classifier-c1] quit
2. Create a traffic behavior b1 and set the action to permit.
[Switch] traffic behavior b1
[Switch-behavior-b1] permit
[Switch-behavior-b1] quit
3. Create a traffic policy p1 and bind the traffic classifier and traffic behavior to the traffic policy.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
4. Apply the traffic policy p1 on GE1/0/1 in the inbound direction.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound

Scroll to top