05-29-2008 03:08 PM - edited 03-05-2019 11:18 PM
I know this is a simple VLAN but I want to make sure I am setting it up correctly.
I need to setup a VLAN that does not allow any traffic in or out except for tcp port 5900.
Below is what I think I need to put into the switch but I want to confirm.
!
interface VlanTest
description Test VLAN
ip address 192.0.38.1 255.255.255.0
ip access-group 100 in
ip access-group 120 out
!
access-list 100 deny ip any any
access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900
access-list 120 deny ip any any
access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900
Any help would be greatly appreciated
Solved! Go to Solution.
05-29-2008 03:27 PM
Anthony,
Please flip the ACL's to where the permit is on top. ACL's are processed from top to bottom, and as they currently stand no traffic would pass.
access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900
access-list 100 deny ip any any
access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900
access-list 120 deny ip any any
05-29-2008 03:27 PM
Anthony,
Please flip the ACL's to where the permit is on top. ACL's are processed from top to bottom, and as they currently stand no traffic would pass.
access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900
access-list 100 deny ip any any
access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900
access-list 120 deny ip any any
05-29-2008 03:31 PM
Thanks for the tip Mark.
Much appreciated. I will set it up today.
05-29-2008 03:46 PM
Anthony,
Looking back at the post to be certain that I gave you the right info I noticed that you weren't using wildcard masks either. Thanks for the rating, and I apologize for over looking this.
access-list 100 permit tcp any host 192.0.38.0 0.0.0.255 eq 5900
access-list 100 deny ip any any
access-list 120 permit tcp 192.0.38.0 0.0.0.255 any eq 5900
access-list 120 deny ip any any
Mark
05-29-2008 03:55 PM
Hi Mark,
Thanks for the checking the post.
I have been having an issue applying the
access-list 100 permit tcp any host 192.0.38.0 0.255.255.255 eq 5900 it says an invalid input at the 0 in 0.255.255.255
Also having an issue inserting the access-list 120 permit tcp 192.0.38.0 0.255.255.255 any eq 5900 it keeps on changing the 192.0.38.0 to 192.0.0.0
Any ideas?
05-29-2008 04:28 PM
That was my second mistake that I edited a few minutes later. Here are the corrected ACL's
access-list 100 permit tcp any host 192.0.38.0 0.0.0.255 eq 5900
access-list 100 deny ip any any
access-list 120 permit tcp 192.0.38.0 0.0.0.255 any eq 5900
access-list 120 deny ip any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: