cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
339
Views
0
Helpful
1
Replies

Is correct the next access list?

peguayapero
Level 1
Level 1

I have the next vlan configuration:

interface Vlan1

ip address 172.23.8.1 255.255.252.0

no ip unreachables

no ip directed-broadcast

interface Vlan5

ip address 172.23.60.1 255.255.255.0

no ip unreachables

no ip directed-broadcast

In the Vlan 1 I Have the Server 172.23.11.24 and I need that the Ip address of the PLC 172.23.60.1-15 (VLan 5) communicate with the Server 172.23.11.24 (Vlan 1) only and with the ports TCP and UPD specific.

The SERVER 172.23.11.24 should be connected with the remainder of the network and with the Ports TCP and UDP that be required to have communication 172.23.60.1-5

In Attachment are the listing of ports and protoclos TCP / UDP of the Applications that run in the SERVER and the ones that handles the PLC. This information was supplied by Rockwell

In the Board 1788-ENBT is the PLC that are utilizing and the Remainder are applications that run in the Servant, except 17xx that are models of PLc.

I am going to configure the following list of access, ?This correct one?

interface Vlan5

ip address 172.23.60.1 255.255.255.0

ip access-group Control_Plc_Sub_electricas in

no ip unreachables

no ip directed-broadcast

ip access-list extended Control_Plc_Sub_electricas

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 44818

permit udp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 44818

permit tcp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 44818

permit udp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 44818

permit udp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 2222

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 27000

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1234

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1330

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1331

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1332

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 3060

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 6543

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7600

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7700

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7710

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7720

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7721

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7722

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7723

permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 135

1 Reply 1

p.devalck
Level 1
Level 1

Hello,

When checking your access list, it seems to me that the access-list is used as "in" for VLAN 5, i.e. "in" towards the VLAN.

I understand this to be traffic from the PLCs towards the switch.

Therefore the lines starting with "permit tcp/udp host 172.23.11.24" seem unnecessary, as no such traffic will enter the switch via vlan 5 (unless vlan 5 is also defined on a trunk towards some other switch behind which the server is situated.

If you want to control outgoing traffic also, a separate access-list is needed.

You can apply this list in the outgoing direction on Vlan 5, or, alternately, develop an access list for the incoming vlan where the server is situated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: