Showing results for 
Search instead for 
Did you mean: 

5900AF ACLs

Occasional Contributor

5900AF ACLs

Hello Everyone!

I need to do the following 

I have 2 VANs (VLAN 1 and VALAN 2) and I need RDP access bidirectional between 2 specific hosts of those 2 VlANs. VLAN1 is routable VLAN 2 is not

I made the following configiration:

interface Vlan-interface1
ip address
packet-filter 3001 inbound

acl number 3001

rule 10 permit tcp source 0 destination 0 destination-port eq 3389
rule 50 deny ip any

With this configuration i have RDP access from 192.168.1..50 but not the oposite

Respected Contributor

Re: 5900AF ACLs


the reverse will not work because you have only allowed destination port 3389, and when your client/server roles are reversed, the destination will be a different port, typically a random port (you can read more about how ports should be assigned in RFC 6335 . The switch ACL is just looking at each single packet, it does not keep track of established connections.

In your case, when the destination port is not 3389 (which a random port should never be) inbound on vlan 1, the packet (the answer from the server) will be blocked. (see drawings) 


You don't have any nice solutions to this. But,

1: you could allow all ports. This would make it work.

2: Maybe you could force your RDP client to initiate on a specific (not random) port, and then allow that port aswell.




Søren Dideriksen, Network Administrator
Region Midtjylland