Showing results for 
Search instead for 
Did you mean: 

Creating One-Way-Routing between to linked Networks

Level 1
Level 1

Hello colleagues,

I am NOT a Cisco-certified specialist but rather focused more on IT forensics and regular client/server technologies.

I have created a link using a routed port between an SX350X and a CBS350. The CBS350 has the subnet, and the SX350X has the network There are two VLANs: 1 (SX350X) and 10 (CBS350). I initially tried to connect both switches using their SVIs, but it didn’t work since only access ports for the respective VLANs are configured on each switch. Therefore, I created a routed port on both sides using the transit network and defined a static route to the other network on each.

Now, I would like to enable routing in only one direction ( =>, but not the other way around. When I define access lists based on IPs, routing logically stops working in both directions. During my research, I found out that it can be accomplished using the ESTABLISHED state, meaning it should only work from the side that initiates the connection. I have been struggling with the correct syntax for the access list for the past three weeks. Can anyone assist me with this? I would be very, very grateful!


16 Replies 16

Joseph W. Doherty
Hall of Fame
Hall of Fame

Just a tad confusing when you write about limiting routing to just one direction.  Better, your description of wanting to have one side to only accept traffic if it's in reply to that side, correct?

The established option would be applied to an ingress ACL TCP ACE on the interface on the device you desire to protect.  As you only have two subnets, you could use them, or you might get by using ANY ANY.

Could you post what you've tried so far?

BTW, the established option only works with TCP, if the device supports reflexive ACLs, they can be FW like for other traffic.  Also, not positive, but I thought Cisco SMB devices also included some FW features too.

Sample config snippet from a Packet Tracer router. . .

interface GigabitEthernet0/0/0
 description Outward facing interface
 ip access-group SampleEstablished in
 !only TCP traffic, with established set, entering from the Outside will be accepted

ip access-list extended SampleEstablished
 permit tcp any any established
 !remember every ACL ends with an implict deny any any

!again, as mention in my prior reply, there are additonal methods to mimic being a FW

The OP has this objective " I would like to enable routing in only one direction" which essentially says they want one way traffic. But in IP networks there is very little that is one way traffic. For almost all traffic we send a message and there is some type of response. But if we have routing in only one direction the response can not be delivered.

Perhaps the OP can give us a bit more information about what they are trying to achieve? 

It is true that for TCP traffic we can use established in an ACL and permit traffic initiated from A to B to be forwarded and get a response but traffic from B to A will not. But TCP is the only protocol with this capability. 



Level 1
Level 1

I deeply regret that I am not very familiar with Cisco IOS. I will try to explain it again:

I want to establish a management segment with the range The production network uses the range The default VLAN is #1, and I cannot change that. The production network has an SX350X switch, and the management network has a CBS350-12XT. Routing from the management network to the production network should work (Veeam Backup from the management network to the production network). This means a Windows server with Veeam Backup installed, as well as several NAS devices, are in the management network. Veeam should access the Windows server VMs in the production network to perform backups. If the production network gets compromised, no access to the management network should be possible (e.g., ransomware).

On both switches, I have defined a transit zone (routed port, on the SX350 and on the CBS). These two IP addresses are the routers to the respective other network. This setup works fine. I spent days experimenting with SVIs before, but it didn’t work. Now, I want access to be possible only in one direction. I am open to any suggestions for alternative solutions because I lack experience with Cisco switching/routing.

I have attached the sanitized configs:


v2.5.9.54 / RCBS3.1_930_871_120
CLI v1.0
file SSD indicator excluded
unit-type unit 1 network te uplink none
unit-type unit 2 network te uplink none
unit-type unit 3 network te uplink none
unit-type unit 4 network te uplink none
spanning-tree mode pvst
spanning-tree loopback-guard
port jumbo-frame
vlan database
vlan 99
voice vlan state auto-triggered
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
loopback-detection enable
no ip arp proxy disable
ip dhcp relay enable
ip access-list extended "LAN to Management"
hostname SX350X
line console
exec-timeout 0
line ssh
exec-timeout 0
management access-list All
logging file notifications
passwords aging 0

ip ssh server
ip ssh password-auth
ip ssh-client username SSH-User

ip http timeout-policy 0
clock timezone J 1
clock summer-time web recurring eu
no clock source sntp
clock source browser
sntp server poll
sntp server poll
ip domain name conex.local
ip name-server
ip domain polling-interval 8
cbd probe enable
interface vlan 1
name LAN
ip address
interface vlan 99
name dummy
interface TenGigabitEthernet1/0/1
loopback-detection enable
description "HypervisorOne - (VM's)"
interface TenGigabitEthernet1/0/2
loopback-detection enable
description "HypervisorTwo (VMs)"
interface TenGigabitEthernet1/0/3
loopback-detection enable
description "HypervisorThree (VMs)"
interface TenGigabitEthernet1/0/4
loopback-detection enable
description "Link zu CBS350 Port 10"
ip address
no switchport
switchport trunk allowed vlan 1,10
interface TenGigabitEthernet1/0/5
loopback-detection enable
description "Rackstation RS1219+"
interface TenGigabitEthernet1/0/6
loopback-detection enable
interface TenGigabitEthernet1/0/7
loopback-detection enable
description Diana
interface TenGigabitEthernet1/0/8
loopback-detection enable
description "Links zu SMC Port 19"
interface oob
ip address
no ip address dhcp
macro auto controlled
ip default-gateway
ip route /24




v3.4.0.17 / RCBS3.4_950_377_325
CLI v1.0
file SSD indicator excluded
unit-type unit 1 network te uplink none
unit-type unit 2 network te uplink none
unit-type unit 3 network te uplink none
unit-type unit 4 network te uplink none
spanning-tree mode pvst
spanning-tree loopback-guard
port jumbo-frame
vlan database
vlan 10,99
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
loopback-detection enable
arp timeout 60000
no ip arp proxy disable
bonjour interface range vlan 1
hostname CBS350
line console
exec-timeout 0
line ssh
exec-timeout 0

ip ssh server
ip ssh password-auth

ip http timeout-policy 0
clock timezone CEST 1
clock summer-time web recurring eu
clock source browser
sntp server poll
sntp server poll
clock dhcp timezone
ip domain name conex.local
ip name-server
interface vlan 1
name LAN
no ip address dhcp
interface vlan 10
name Management
ip address
interface vlan 99
name dummy
interface TenGigabitEthernet1/0/1
loopback-detection enable
description HypervisorOne
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
interface TenGigabitEthernet1/0/2
loopback-detection enable
description "YClarity (HypervisorOne)"
switchport access vlan 10
switchport trunk allowed vlan 1,10
interface TenGigabitEthernet1/0/3
loopback-detection enable
description HypervisorTwo
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
interface TenGigabitEthernet1/0/4
loopback-detection enable
description "XClarity (HypervisorTwo)"
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan none
interface TenGigabitEthernet1/0/5
loopback-detection enable
description HypervisorThree
switchport access vlan 10
interface TenGigabitEthernet1/0/6
loopback-detection enable
description "ZClarity (HypervisorThree)"
switchport access vlan 10
switchport trunk native vlan 10
interface TenGigabitEthernet1/0/7
loopback-detection enable
description Diana
switchport access vlan 10
interface TenGigabitEthernet1/0/8
loopback-detection enable
description Apollo
switchport access vlan 10
interface TenGigabitEthernet1/0/9
loopback-detection enable
description "Link zur Sophos Port 10"
switchport access vlan 10
interface TenGigabitEthernet1/0/10
loopback-detection enable
description "Link zu SX350X Port 4"
ip address
no switchport
switchport access vlan 10
switchport trunk allowed vlan 1,10
interface TenGigabitEthernet1/0/11
loopback-detection enable
description Notebook
switchport access vlan 10
switchport trunk native vlan 10
interface TenGigabitEthernet1/0/12
loopback-detection enable
switchport access vlan 10
interface oob
ip address dhcp
macro auto processing type host enabled
macro auto processing type router enabled
ip default-gateway
ip route /24


I'll try to show it.

CBS ==================> <> <=========================== SX350X                                                                                                                    

On the CBS the routing port is interface TenGigabitEthernet1/0/10 and on the SX350X is interface TenGigabitEthernet1/0/4. 

I have tried many things for days and sometimes even locked myself out (we then had to access via the console). Unfortunately, I lack the knowledge to fully implement my idea.

You might start with using an ACL, as I showed earlier on the CBS350 t1/0/10 port, but just looking over the IOS CLI documentation, did NOT find the TCP established keyword option.  Possibly this is not supported on this switch in the CLI.

I was also just looking over the on-line CBS350 emulator, but it doesn't appear to provide a CLI mode, so I couldn't check the forgoing.

However, in the emulator's GUI, you can define a TCP ACE with TCP flag settings.  Basically, the established setting would accept TCP packets with ACK or RST set.


Thank you for your help, Joseph.

I'll try it and give you a feedback.

Unfortunately. Do I have chances to realize it in an other way?


Well, the next alternative would be to try to build or modify the ACL via the GUI (which the Cisco on-line CBS showed as being capable - I believe I may have noticed the emulator is running the prior IOS version).

If the CBS350 cannot support the needed ACL, we can see whether the SX35O does.  (Applying the ACL on it is less secure as that switch is hosting the at risk network.)

If neither SMB switch can do the job, you would need to consider different or additional hardware.  For instance an additional transit device between the switches, such as even as an inexpensive consumer grade FW.

I just tried it via CLI on the SX350X: unfortunately, it doesn't support it either. We should have bought higher-end switches. But now it's too late. I think I'll place a firewall between the connections.

Thank you for your help, Joseph

Joseph, I found this in the GUI of the CBS. Can I realize establish with these TCP settings?



Yes, I believe so.  That's exactly the part of the GUI I was alluding to!

You would define two entries, one that matches ACK and one that matches RST.  (You would match by selecting set option.  Everything else, don't care.)

Basically the established keyword would match either, in one entry, which possibly is why it's not supported.  Matching on two entries should provide the same result.

BTW, glad you asked.  I had thought to ask why you didn't want to pursue using the GUI, but assumed you just didn't.

It would be interesting to see how device renders this GUI feature in the CLI.

Wow! It works like a charm!

It's rendered to:

ip access-list extended SampleEstablished
permit tcp any any any any match-all +ack ace-priority 1
permit tcp any any any any match-all +rst ace-priority 2
permit icmp any any any any ace-priority 3
deny ip any any ace-priority 99


Is it reckless to allow ICMP (ping) in both directions, or is there no risk involved if TCP traffic from the network is blocked

"Wow! It works like a charm!"


"Is it reckless to allow ICMP (ping) in both directions, or is there no risk involved if TCP traffic from the network is blocked"

"Reckless" is a matter of degree; much depends on what must be allowed to meet your operational goals.  Don't forget, ICMP supports much more than ping.  (Also keep in mind what the acronym stands for.)

For example, if you wish your admin network hosts be able to ping out, not not the converse, you can restrict external ingress ICMP be limited to just ping replies.  You could further restrict what IPs are allowed to ping out and/or accept ping replies.

Joseph, could you please help me define this once again? Specifically, so that I only allow incoming responses to pings?

Review Cisco Networking for a $25 gift card