06-22-2006 09:32 AM - edited 03-03-2019 03:46 AM
I have the next vlan configuration:
interface Vlan1
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
interface Vlan5
ip address 172.23.60.1 255.255.255.0
no ip unreachables
no ip directed-broadcast
In the Vlan 1 I Have the Server 172.23.11.24 and I need that the Ip address of the PLC 172.23.60.1-15 (VLan 5) communicate with the Server 172.23.11.24 (Vlan 1) only and with the ports TCP and UPD specific.
The SERVER 172.23.11.24 should be connected with the remainder of the network and with the Ports TCP and UDP that be required to have communication 172.23.60.1-5
In Attachment are the listing of ports and protoclos TCP / UDP of the Applications that run in the SERVER and the ones that handles the PLC. This information was supplied by Rockwell
In the Board 1788-ENBT is the PLC that are utilizing and the Remainder are applications that run in the Servant, except 17xx that are models of PLc.
I am going to configure the following list of access, ?This correct one?
interface Vlan5
ip address 172.23.60.1 255.255.255.0
ip access-group Control_Plc_Sub_electricas in
no ip unreachables
no ip directed-broadcast
ip access-list extended Control_Plc_Sub_electricas
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 44818
permit udp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 44818
permit tcp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 44818
permit udp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 44818
permit udp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 2222
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 27000
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1234
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1330
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1331
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1332
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 3060
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 6543
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7600
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7700
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7710
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7720
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7721
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7722
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7723
permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 135
06-23-2006 12:35 AM
Hello,
When checking your access list, it seems to me that the access-list is used as "in" for VLAN 5, i.e. "in" towards the VLAN.
I understand this to be traffic from the PLCs towards the switch.
Therefore the lines starting with "permit tcp/udp host 172.23.11.24" seem unnecessary, as no such traffic will enter the switch via vlan 5 (unless vlan 5 is also defined on a trunk towards some other switch behind which the server is situated.
If you want to control outgoing traffic also, a separate access-list is needed.
You can apply this list in the outgoing direction on Vlan 5, or, alternately, develop an access list for the incoming vlan where the server is situated.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: