Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is correct the next access list?

I have the next vlan configuration:

interface Vlan1

ip address

no ip unreachables

no ip directed-broadcast

interface Vlan5

ip address

no ip unreachables

no ip directed-broadcast

In the Vlan 1 I Have the Server and I need that the Ip address of the PLC (VLan 5) communicate with the Server (Vlan 1) only and with the ports TCP and UPD specific.

The SERVER should be connected with the remainder of the network and with the Ports TCP and UDP that be required to have communication

In Attachment are the listing of ports and protoclos TCP / UDP of the Applications that run in the SERVER and the ones that handles the PLC. This information was supplied by Rockwell

In the Board 1788-ENBT is the PLC that are utilizing and the Remainder are applications that run in the Servant, except 17xx that are models of PLc.

I am going to configure the following list of access, ?This correct one?

interface Vlan5

ip address

ip access-group Control_Plc_Sub_electricas in

no ip unreachables

no ip directed-broadcast

ip access-list extended Control_Plc_Sub_electricas

permit tcp host eq 44818

permit udp host eq 44818

permit tcp host eq 44818

permit udp host eq 44818

permit udp host eq 2222

permit tcp host eq 27000

permit tcp host eq 1234

permit tcp host eq 1330

permit tcp host eq 1331

permit tcp host eq 1332

permit tcp host eq 3060

permit tcp host eq 6543

permit tcp host eq 7600

permit tcp host eq 7700

permit tcp host eq 7710

permit tcp host eq 7720

permit tcp host eq 7721

permit tcp host eq 7722

permit tcp host eq 7723

permit tcp host eq 135

New Member

Re: Is correct the next access list?


When checking your access list, it seems to me that the access-list is used as "in" for VLAN 5, i.e. "in" towards the VLAN.

I understand this to be traffic from the PLCs towards the switch.

Therefore the lines starting with "permit tcp/udp host" seem unnecessary, as no such traffic will enter the switch via vlan 5 (unless vlan 5 is also defined on a trunk towards some other switch behind which the server is situated.

If you want to control outgoing traffic also, a separate access-list is needed.

You can apply this list in the outgoing direction on Vlan 5, or, alternately, develop an access list for the incoming vlan where the server is situated.