VLAN question

Unanswered Question
Mar 17th, 2009

Have a Cisco 3560 switch with multiple VLAN's. Have a vendor that connects to teh Pix 505 with PPTP and gets IP from server on VLAN1. They then need to connect to a PC for RDP session on VLAN2. I am unable to get that connection working. Can ping all PC's on that VLAN but can't RDP. Is there a ACL I can add to grant this access?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Tue, 03/17/2009 - 11:49

If they're going through the pix, you may need to create an ACL that they'll use to allow them to the vlan 2 subnet. Otherwise, they'll only be allowed to whatever devices the acl is being applied to their vpn connection.

You could post the acl that's being applied to them and we can look at it. Also, is the pix the default gateway for the switch? Are these L3 SVIs, or do you have it configured as just a L2 switch?



sonitadmin Tue, 03/17/2009 - 11:59

Taking outside users out of the equation for the time being, I cannot RDP to anything on VLAN2 from VLAN1 as of now.

So is there anything that would be denying that access?

John Blakley Tue, 03/17/2009 - 12:04

Are you on the same switch? Are these L3 SVIs?

Here's a couple of suggestions:

If they're L3 svis (int vlan1, int vlan2) and they have ACLs applied, then yes, that could be blocking you.

Can you RDP from a system that's in VLAN2 to the system that's in VLAN2. If not, it has something to do with the server/system that you're trying to remote into (software firewall?).



sonitadmin Tue, 03/17/2009 - 12:10


Thanks for the reply. They are L3 svis (int vlan1, int vlan2) and they do have ACL's applied to them.

I've taken my laptop and placed it in VLAN2 ( network) and can RDP to the PC ( When I go back to VLAN1 ( network) I am then unable to remote into anything on the network.

sonitadmin Tue, 03/17/2009 - 12:23

OK, the actual VLAN names are 10 and 8 not 1 and 2. I am trying to connect from VLAN10 to VLAN8. The commands that we have tried are not in this list.

sonitadmin Tue, 03/17/2009 - 12:29

I tried adding a command on VLAN8 that read:

permit tcp host eq 3389

John Blakley Tue, 03/17/2009 - 12:54

I'm a little confused. The ace that you posted here would only allow (,, etc.)

What are the actual subnets on vlan 8, and what subnet are you coming from?

Oh, and what direction are these acls applied to on the svi?


sonitadmin Tue, 03/17/2009 - 13:18

That should have been network.

But wouldn't that be correct? I only want to allow RDP from anything on the network to that specific host.

Right now my ip is, I'm on VLAN10. I want to RDP to which is on VLAN8.

John Blakley Tue, 03/17/2009 - 13:27

Yes, it would be correct, but it could change depending on the direction that your acl is applied in. Is the ACL on vlan 8 or 10 applied outbound?

Try this acl on vlan 8:

access-list 108 permit tcp host eq 3389

On your vlan 10:

access-list 101 permit tcp host eq 3389

Vlan 8 is assumed outbound. If your acl is applied inbound, you would need to switch it:

access-list 108 permit tcp host eq 3389

Oh, and if you add the access-list line without modifying your whole list, it will add to the end of the line. That means that if something is blocking the traffic before it gets to the line that should allow it, it will stop processing the ACL and will never get to your line. When working with these acls, it's best to copy the complete acl, paste into notepad, make your changes, del the current acl, and then paste your "changed" acl back in. You can't add a line to this type of acl in the middle of the list without modifying it all.



sonitadmin Wed, 03/18/2009 - 06:33

VLAN8 is indeed outbound. We tried the ACL's you gave above but with no success.

My other tech added the lines to the ACL by giving them a number (ex 75 and then the ACL commands) so this put them at a certain spot instead of the end of the ACL.

Question I have, I thought that he would have to do a write mem command after adding these so they would be in the running config, but he is telling me that he doesn't need to. Would that command need to be run?


John Blakley Wed, 03/18/2009 - 06:41

Numbered access lists won't let you insert lines, so you're using a named acl? I need to see the config of the SVIs on your switch. Can you post the output of both the interfaces for the vlans that you're trying to send data between?

Oh, and the changes are immediate. You don't have to write it to take effect.


John Blakley Wed, 03/18/2009 - 07:16

Try this:

Under ACL 108:

permit tcp eq 3389

Under ACL 101:

permit tcp eq 3389

John Blakley Wed, 03/18/2009 - 08:06

Are you using MS Remote Desktop client? I don't see any hits on the acl at all.


sonitadmin Wed, 03/18/2009 - 08:18

Yes, using RDP client in Windows. Tried it so far from server (Windows 2003) and from laptop (Windows Vista). Neither will connect. Vista machine when attached to network will connect via RDP just fine to client machine.

John Blakley Wed, 03/18/2009 - 08:27

What does the rest of your topology look like? Are you connected directly to this switch as well as the server connected directly to the switch? Is there a firewall in between you and the server? You should be seeing hits on the ACL. You *could* put at the top of your ACL "permit ip any any" and if that doesn't work, then something else is your problem (a device in between, another router, etc.).


sonitadmin Wed, 03/18/2009 - 08:30

If we put that permit ip any any in the ACL would that need to be in both VLAN8 and VLAN10 ACL's?

I'll post more on the topology shortly.

John Blakley Wed, 03/18/2009 - 08:32

I would test it like that for both sides. Instead of that try:

permit tcp any any eq 3389 log

at the top of your acl and see what your source and destination shows as in the log. I'm curious as to why you don't see any hits at all on your acl that you currently have now.

John Blakley Wed, 03/18/2009 - 09:01

"Show log" or if you telnet into the router, you can do:

term mon

Then you can try to connect and see if your traffic is being allowed or denied. If you have a lot of traffic going through that svi and you're allowing everything, then you'll get a lot of traffic across the screen that you'll have to filter through. If you don't want to do that, it will just log to the buffer of the switch.



sonitadmin Wed, 03/18/2009 - 09:27

I tried adding the ACL that you gave me and still nothing. Do I need to set up logging on the switch in order to see the hits on the ACL?

As far as a firewall between the server and PC, I don't think so. But I've attached the IP routes that are set up on the switch. Notice the last line. It has a static route to the PIX ( Does that mean that traffic from VLAN 10 to VLAN 8 are going through the PIX?

sonitadmin Wed, 03/18/2009 - 09:33

I was looking at the logs for the PIX. They are capturing all denied entries and I didn't see anything from the IP addresses that we are dealing with.

However, when I looked at the logging on the 3560 switch it shows the following lines:

list 108 permitted tcp ->, 1 packet

list 108 permitted tcp ->, 2 packets

So it looks like the RDP traffic is being passed through. However, do you know why it shows a different port number on the VLAN 10 side? Shouldn't that be 3389 as well?

John Blakley Wed, 03/18/2009 - 09:40

Can you post your complete switch config? Do you have a topology? This is turning out more involved than it should've been :-)


John Blakley Wed, 03/18/2009 - 09:48

Yes, please remove anything public including passwords, addresses. You may want to leave the first octet so I'll know the address is public-ish:

99.x.x.x x.x.x.x


John Blakley Wed, 03/18/2009 - 10:02

My final suggestion would be to remove your acl from both svis and see if you can get across. If you can't, it has something to do with your pix. You can post the pix config if you want, but in reality it should be seeing the traffic between switchports and only involve the pix if traffic isn't local (although that depends on your topology).


sonitadmin Wed, 03/18/2009 - 10:04

Nothing in the switch config jumps out at you as being incorrect?

John Blakley Wed, 03/18/2009 - 10:13

Not blatantly, no. The pix svi is, and the default route is .253. What's .253?

John Blakley Wed, 03/18/2009 - 10:20

Please post the following from the pix:

route statements

access-group statements


Take out any public addresses.

sonitadmin Wed, 03/18/2009 - 10:34

I've attached the route statements. I don't see any access-group statements and I only see one access-list statement that I'm not even sure belongs in there.

access-list 108 permit ip

I see a lot of conduit permit statements.

John Blakley Wed, 03/18/2009 - 10:38

If you do a "show access-group", you should see something. Did you remove your acl from the svi and test it?

lamav Wed, 03/18/2009 - 10:41


Forget about RDP, can you even PING the device in vlan 8 from the device in vlan 10. Is it even reachable?

sonitadmin Wed, 03/18/2009 - 10:42

I am not in front of the switch or pix right now and have no access to it. I have another tech that is working with it.

We have not removed the ACL yet. I'll get the show access-group results shortly.

Thanks for all the help!

lamav Wed, 03/18/2009 - 10:44


Forget about RDP, can you even PING the device in vlan 8 from the device in vlan 10. Is it even reachable?

sonitadmin Wed, 03/18/2009 - 10:50

Yes, with my Vista laptop ip address I can ping the client PC at that I want to RDP to. Same result from server at

With my laptop connected to network I am able to RDP into machine. Just not from network.

sonitadmin Wed, 03/18/2009 - 10:59


The show access-group command brings back nothing. Show access-list brings back the ACL that I showed you earlier.

John Blakley Wed, 03/18/2009 - 11:02

The access-list isn't applied then. You may not be using access-lists if you're using conduits. The only other test that you can do is to remove the acl from both svis (have the other tech do it) and then see if you can get to it.

sonitadmin Wed, 03/18/2009 - 11:16

My guess is that when I remove both of those ACL's that its going to cause some issues so I might not be able to test it during hours.


This Discussion