05-29-2008 03:08 PM - edited 03-05-2019 11:18 PM
I know this is a simple VLAN but I want to make sure I am setting it up correctly.
I need to setup a VLAN that does not allow any traffic in or out except for tcp port 5900.
Below is what I think I need to put into the switch but I want to confirm.
!
interface VlanTest
description Test VLAN
ip address 192.0.38.1 255.255.255.0
ip access-group 100 in
ip access-group 120 out
!
access-list 100 deny ip any any
access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900
access-list 120 deny ip any any
access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900
Any help would be greatly appreciated
Solved! Go to Solution.
05-29-2008 03:27 PM
Anthony,
Please flip the ACL's to where the permit is on top. ACL's are processed from top to bottom, and as they currently stand no traffic would pass.
access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900
access-list 100 deny ip any any
access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900
access-list 120 deny ip any any
05-29-2008 03:27 PM
Anthony,
Please flip the ACL's to where the permit is on top. ACL's are processed from top to bottom, and as they currently stand no traffic would pass.
access-list 100 permit tcp any host 192.0.38.0 255.255.255.0 eq 5900
access-list 100 deny ip any any
access-list 120 permit tcp 192.0.38.0 255.255.255.0 any eq 5900
access-list 120 deny ip any any
05-29-2008 03:31 PM
Thanks for the tip Mark.
Much appreciated. I will set it up today.
05-29-2008 03:46 PM
Anthony,
Looking back at the post to be certain that I gave you the right info I noticed that you weren't using wildcard masks either. Thanks for the rating, and I apologize for over looking this.
access-list 100 permit tcp any host 192.0.38.0 0.0.0.255 eq 5900
access-list 100 deny ip any any
access-list 120 permit tcp 192.0.38.0 0.0.0.255 any eq 5900
access-list 120 deny ip any any
Mark
05-29-2008 03:55 PM
Hi Mark,
Thanks for the checking the post.
I have been having an issue applying the
access-list 100 permit tcp any host 192.0.38.0 0.255.255.255 eq 5900 it says an invalid input at the 0 in 0.255.255.255
Also having an issue inserting the access-list 120 permit tcp 192.0.38.0 0.255.255.255 any eq 5900 it keeps on changing the 192.0.38.0 to 192.0.0.0
Any ideas?
05-29-2008 04:28 PM
That was my second mistake that I edited a few minutes later. Here are the corrected ACL's
access-list 100 permit tcp any host 192.0.38.0 0.0.0.255 eq 5900
access-list 100 deny ip any any
access-list 120 permit tcp 192.0.38.0 0.0.0.255 any eq 5900
access-list 120 deny ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide