Hello Robert,

Frank Dukes · ‎11-06-2015

Folks,

Hope u guys can help with this.

We have 2 vlans, VLAN20 192.168.1.0/24 and VLAN21 192.168.2.0/24

On the 192.168.1.0/24 subnet we have an extended acl inbound.

There is no acl on VLAN21

I want to allow clients on VLAN21 to access a server 192.168.1.10 on VLAN20 on tcp port 7788.

This is what i have in the ACL

access-list 121 permit tcp host 192.168.1.10 192.168.2.0 0.0.0.255 eq 7788 log

With the above applied, the connection fails.

If i change the ACL to "access-list 121 permit tcp host 192.168.1.10 192.168.2.0 0.0.0.255 gt 7000 log" it works

The only thing i am noticing when i look in the log, is that the source port from the client is 64534.

Is there any way to get this working without leaving the ACL as is above, and tying it down a bit more.

Regards

Jon Marshall · ‎11-06-2015

If you want to apply it to the acl on the vlan 20 SVI it should be -

"access-list 121 permit tcp host 192.168.1.10 eq 7788 192.168.2.0 0.0.0.255 log"

because an acl applied inbound is for traffic coming from devices in that vlan and the server is using that specific port whereas the client is using a random port.

Jon

Ganesh Hariharan · ‎11-06-2015

Hello Robert,

Agree with Jon's comment client end genrates random source port for TCP handshake but detination ports is what where the application is running.

You can do applying the acl in direction on VLAN 20 but normally my preference is used to apply acl near the source that vlan 21.

Hope it Helps..

-GI

Rate Helpful Posts

ACL Query