Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
5
Replies

Simple VLAN

Go to solution
anthonywald
Level 1
Level 1

‎05-29-2008 03:08 PM - edited ‎03-05-2019 11:18 PM

I know this is a simple VLAN but I want to make sure I am setting it up correctly.

I need to setup a VLAN that does not allow any traffic in or out except for tcp port 5900.

Below is what I think I need to put into the switch but I want to confirm.

!

interface VlanTest

description Test VLAN

ip address 192.0.38.1 255.255.255.0

ip access-group 100 in

ip access-group 120 out

!

access-list 100 deny ip any any

access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900

access-list 120 deny ip any any

access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900

Any help would be greatly appreciated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Yeates
Level 7
Level 7

‎05-29-2008 03:27 PM

Anthony,

Please flip the ACL's to where the permit is on top. ACL's are processed from top to bottom, and as they currently stand no traffic would pass.

access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900

access-list 100 deny ip any any

access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900

access-list 120 deny ip any any

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mark Yeates
Level 7
Level 7

‎05-29-2008 03:27 PM

Anthony,

Please flip the ACL's to where the permit is on top. ACL's are processed from top to bottom, and as they currently stand no traffic would pass.

access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900

access-list 100 deny ip any any

access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900

access-list 120 deny ip any any

0 Helpful

Go to solution
anthonywald
Level 1
Level 1
In response to Mark Yeates

‎05-29-2008 03:31 PM

Thanks for the tip Mark.

Much appreciated. I will set it up today.

0 Helpful

Go to solution
Mark Yeates
Level 7
Level 7
In response to anthonywald

‎05-29-2008 03:46 PM

Anthony,

Looking back at the post to be certain that I gave you the right info I noticed that you weren't using wildcard masks either. Thanks for the rating, and I apologize for over looking this.

access-list 100 permit tcp any host 192.0.38.0 0.0.0.255 eq 5900

access-list 100 deny ip any any

access-list 120 permit tcp 192.0.38.0 0.0.0.255 any eq 5900

access-list 120 deny ip any any

Mark

0 Helpful

Go to solution
anthonywald
Level 1
Level 1
In response to Mark Yeates

‎05-29-2008 03:55 PM

Hi Mark,

Thanks for the checking the post.

I have been having an issue applying the

access-list 100 permit tcp any host 192.0.38.0 0.255.255.255 eq 5900 it says an invalid input at the 0 in 0.255.255.255

Also having an issue inserting the access-list 120 permit tcp 192.0.38.0 0.255.255.255 any eq 5900 it keeps on changing the 192.0.38.0 to 192.0.0.0

Any ideas?

0 Helpful

Go to solution
Mark Yeates
Level 7
Level 7
In response to anthonywald

‎05-29-2008 04:28 PM

That was my second mistake that I edited a few minutes later. Here are the corrected ACL's

access-list 100 permit tcp any host 192.0.38.0 0.0.0.255 eq 5900

access-list 100 deny ip any any

access-list 120 permit tcp 192.0.38.0 0.0.0.255 any eq 5900

access-list 120 deny ip any any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card