private Vlan config

rhussaini · ‎07-26-2006

I have a question regarding private Vlan config. I have a DMZ switch where I need to be able for a particuilar server to communicate to the reset of the servers on port 8686 and deny the rest of the communications between them. I have this server on a poremiscuios mode and the other servers on isolated ports.For security reason how can apply this access list? on which vlan? I am running IOS on the switch connecting these servers. Thanks for your help

gpulos · ‎07-26-2006

an access-list config could look as follows:

access-list 101 permit tcp host x.x.x.x 255.255.255.255 eq 8686 y.y.y.y ys.ys.ys.ys

access-list 101 permit tcp y.y.y.y ys.ys.ys.ys host x.x.x.x 255.255.255.255 eq 8686

apply the access-list to the proper vlan/interface and test.

without knowing your vlans or ip addressing, we will not be able to elaborate on the exact syntax of the access-list or what vlan(s) to apply it too.

let us know if you can and we can help further.

rhussaini · ‎07-27-2006

the port is that the server(10.3.1.50. 255.255.0.0) that need to talk to all server is attached to:

interface GigabitEthernet1/0/18

description DZ1WEBSD001

switchport private-vlan host-association 50 51

switchport mode private-vlan promiscuous

speed 100

duplex full

no mdix auto

The subnet is 10.3.1.0 255.255.0.0

Basically the 10.3.1.50 need to talk to all servers on this subnet on port 8686 and deny evrything else

Thanks