Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
16
Replies

Creating One-Way-Routing between to linked Networks

dk-one
Level 1
Level 1

‎11-13-2024 07:32 AM

Hello colleagues,

I am NOT a Cisco-certified specialist but rather focused more on IT forensics and regular client/server technologies.

I have created a link using a routed port between an SX350X and a CBS350. The CBS350 has the subnet 10.10.10.0/24, and the SX350X has the network 192.168.1.0/24. There are two VLANs: 1 (SX350X) and 10 (CBS350). I initially tried to connect both switches using their SVIs, but it didn’t work since only access ports for the respective VLANs are configured on each switch. Therefore, I created a routed port on both sides using the transit network 192.168.100.0 and defined a static route to the other network on each.

Now, I would like to enable routing in only one direction (10.10.10.0/24 => 192.168.1.0/24), but not the other way around. When I define access lists based on IPs, routing logically stops working in both directions. During my research, I found out that it can be accomplished using the ESTABLISHED state, meaning it should only work from the side that initiates the connection. I have been struggling with the correct syntax for the access list for the past three weeks. Can anyone assist me with this? I would be very, very grateful!

 

 
Labels:
0 Helpful
16 Replies 16

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎11-13-2024 07:57 AM

Just a tad confusing when you write about limiting routing to just one direction.  Better, your description of wanting to have one side to only accept traffic if it's in reply to that side, correct?

The established option would be applied to an ingress ACL TCP ACE on the interface on the device you desire to protect.  As you only have two subnets, you could use them, or you might get by using ANY ANY.

Could you post what you've tried so far?

BTW, the established option only works with TCP, if the device supports reflexive ACLs, they can be FW like for other traffic.  Also, not positive, but I thought Cisco SMB devices also included some FW features too.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎11-13-2024 10:33 AM

Sample config snippet from a Packet Tracer router. . .

interface GigabitEthernet0/0/0
 description Outward facing interface
 ip access-group SampleEstablished in
 !only TCP traffic, with established set, entering from the Outside will be accepted

ip access-list extended SampleEstablished
 permit tcp any any established
 !remember every ACL ends with an implict deny any any

!again, as mention in my prior reply, there are additonal methods to mimic being a FW
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎11-13-2024 12:12 PM

The OP has this objective " I would like to enable routing in only one direction" which essentially says they want one way traffic. But in IP networks there is very little that is one way traffic. For almost all traffic we send a message and there is some type of response. But if we have routing in only one direction the response can not be delivered.

Perhaps the OP can give us a bit more information about what they are trying to achieve? 

It is true that for TCP traffic we can use established in an ACL and permit traffic initiated from A to B to be forwarded and get a response but traffic from B to A will not. But TCP is the only protocol with this capability. 

HTH

Rick
0 Helpful

dk-one
Level 1
Level 1

‎11-13-2024 02:14 PM

I deeply regret that I am not very familiar with Cisco IOS. I will try to explain it again:

I want to establish a management segment with the range 10.10.10.0/24. The production network uses the range 192.168.1.0/24. The default VLAN is #1, and I cannot change that. The production network has an SX350X switch, and the management network has a CBS350-12XT. Routing from the management network to the production network should work (Veeam Backup from the management network to the production network). This means a Windows server with Veeam Backup installed, as well as several NAS devices, are in the management network. Veeam should access the Windows server VMs in the production network to perform backups. If the production network gets compromised, no access to the management network should be possible (e.g., ransomware).

On both switches, I have defined a transit zone (routed port, 192.168.0.2 on the SX350 and 192.168.0.1 on the CBS). These two IP addresses are the routers to the respective other network. This setup works fine. I spent days experimenting with SVIs before, but it didn’t work. Now, I want access to be possible only in one direction. I am open to any suggestions for alternative solutions because I lack experience with Cisco switching/routing.

I have attached the sanitized configs:

SX350X:

config-file-header
SX350X
v2.5.9.54 / RCBS3.1_930_871_120
CLI v1.0
file SSD indicator excluded
@
!
unit-type-control-start
unit-type unit 1 network te uplink none
unit-type unit 2 network te uplink none
unit-type unit 3 network te uplink none
unit-type unit 4 network te uplink none
unit-type-control-end
!
spanning-tree mode pvst
spanning-tree loopback-guard
port jumbo-frame
vlan database
vlan 99
exit
voice vlan state auto-triggered
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
loopback-detection enable
no ip arp proxy disable
ip dhcp relay enable
ip access-list extended "LAN to Management"
exit
hostname SX350X
line console
exec-timeout 0
exit
line ssh
exec-timeout 0
exit
management access-list All
permit
exit
logging file notifications
passwords aging 0

ip ssh server
ip ssh password-auth
ip ssh-client username SSH-User
!

ip http timeout-policy 0
clock timezone J 1
clock summer-time web recurring eu
no clock source sntp
clock source browser
sntp server de.pool.ntp.org poll
sntp server ptbtime1.ptb.de poll
ip domain name conex.local
ip name-server 192.168.1.50
ip domain polling-interval 8
cbd probe enable
!
interface vlan 1
name LAN
ip address 192.168.1.16 255.255.255.0
!
interface vlan 99
name dummy
!
interface TenGigabitEthernet1/0/1
loopback-detection enable
description "HypervisorOne - (VM's)"
!
interface TenGigabitEthernet1/0/2
loopback-detection enable
description "HypervisorTwo (VMs)"
!
interface TenGigabitEthernet1/0/3
loopback-detection enable
description "HypervisorThree (VMs)"
!
interface TenGigabitEthernet1/0/4
loopback-detection enable
description "Link zu CBS350 Port 10"
ip address 192.168.0.2 255.255.255.252
no switchport
switchport trunk allowed vlan 1,10
!
interface TenGigabitEthernet1/0/5
loopback-detection enable
description "Rackstation RS1219+"
!
interface TenGigabitEthernet1/0/6
loopback-detection enable
!
interface TenGigabitEthernet1/0/7
loopback-detection enable
description Diana
!
interface TenGigabitEthernet1/0/8
loopback-detection enable
description "Links zu SMC Port 19"
!
interface oob
shutdown
ip address 172.16.16.50 255.255.255.0
no ip address dhcp
!
exit
macro auto controlled
ip default-gateway 192.168.1.1
ip route 10.10.10.0 /24 192.168.0.1

 

 

CBS350

CBS350
v3.4.0.17 / RCBS3.4_950_377_325
CLI v1.0
file SSD indicator excluded
@
!
unit-type-control-start
unit-type unit 1 network te uplink none
unit-type unit 2 network te uplink none
unit-type unit 3 network te uplink none
unit-type unit 4 network te uplink none
unit-type-control-end
!
spanning-tree mode pvst
spanning-tree loopback-guard
port jumbo-frame
vlan database
vlan 10,99
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
loopback-detection enable
arp timeout 60000
no ip arp proxy disable
bonjour interface range vlan 1
hostname CBS350
line console
exec-timeout 0
exit
line ssh
exec-timeout 0
exit

ip ssh server
ip ssh password-auth

ip http timeout-policy 0
clock timezone CEST 1
clock summer-time web recurring eu
clock source browser
sntp server 192.53.103.108 poll
sntp server de.pool.ntp.org poll
clock dhcp timezone
ip domain name conex.local
ip name-server 192.168.1.50 192.168.1.53 192.168.1.14 192.168.1.1
!
interface vlan 1
name LAN
no ip address dhcp
!
interface vlan 10
name Management
ip address 10.10.10.22 255.255.255.0
!
interface vlan 99
name dummy
!
interface TenGigabitEthernet1/0/1
loopback-detection enable
description HypervisorOne
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
!
interface TenGigabitEthernet1/0/2
loopback-detection enable
description "YClarity (HypervisorOne)"
switchport access vlan 10
switchport trunk allowed vlan 1,10
!
interface TenGigabitEthernet1/0/3
loopback-detection enable
description HypervisorTwo
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan 10
!
interface TenGigabitEthernet1/0/4
loopback-detection enable
description "XClarity (HypervisorTwo)"
switchport access vlan 10
switchport trunk native vlan 10
switchport trunk allowed vlan none
!
interface TenGigabitEthernet1/0/5
loopback-detection enable
description HypervisorThree
switchport access vlan 10
!
interface TenGigabitEthernet1/0/6
loopback-detection enable
description "ZClarity (HypervisorThree)"
switchport access vlan 10
switchport trunk native vlan 10
!
interface TenGigabitEthernet1/0/7
loopback-detection enable
description Diana
switchport access vlan 10
!
interface TenGigabitEthernet1/0/8
loopback-detection enable
description Apollo
switchport access vlan 10
!
interface TenGigabitEthernet1/0/9
loopback-detection enable
description "Link zur Sophos Port 10"
switchport access vlan 10
!
interface TenGigabitEthernet1/0/10
loopback-detection enable
description "Link zu SX350X Port 4"
ip address 192.168.0.1 255.255.255.252
no switchport
switchport access vlan 10
switchport trunk allowed vlan 1,10
!
interface TenGigabitEthernet1/0/11
loopback-detection enable
description Notebook
switchport access vlan 10
switchport trunk native vlan 10
!
interface TenGigabitEthernet1/0/12
loopback-detection enable
switchport access vlan 10
!
interface oob
ip address dhcp
!
exit
macro auto processing type host enabled
macro auto processing type router enabled
ip default-gateway 10.10.10.1
ip route 192.168.1.0 /24 192.168.0.2

 

I'll try to show it.


CBS ==================> 192.168.0.1 <> 192.168.0.2 <=========================== SX350X
10.10.10.0/24                                                                                                                              192.168.0.1/24

On the CBS the routing port is interface TenGigabitEthernet1/0/10 and on the SX350X is interface TenGigabitEthernet1/0/4. 

I have tried many things for days and sometimes even locked myself out (we then had to access via the console). Unfortunately, I lack the knowledge to fully implement my idea.



0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dk-one

‎11-13-2024 03:06 PM

You might start with using an ACL, as I showed earlier on the CBS350 t1/0/10 port, but just looking over the IOS CLI documentation, did NOT find the TCP established keyword option.  Possibly this is not supported on this switch in the CLI.

I was also just looking over the on-line CBS350 emulator, but it doesn't appear to provide a CLI mode, so I couldn't check the forgoing.

However, in the emulator's GUI, you can define a TCP ACE with TCP flag settings.  Basically, the established setting would accept TCP packets with ACK or RST set.

 

0 Helpful

dk-one
Level 1
Level 1
In response to Joseph W. Doherty

‎11-13-2024 03:29 PM

Thank you for your help, Joseph.

I'll try it and give you a feedback.

0 Helpful

dk-one
Level 1
Level 1
In response to Joseph W. Doherty

‎11-13-2024 03:43 PM

Unfortunately. Do I have chances to realize it in an other way?

image.png

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dk-one

‎11-13-2024 04:20 PM

Well, the next alternative would be to try to build or modify the ACL via the GUI (which the Cisco on-line CBS showed as being capable - I believe I may have noticed the emulator is running the prior IOS version).

If the CBS350 cannot support the needed ACL, we can see whether the SX35O does.  (Applying the ACL on it is less secure as that switch is hosting the at risk network.)

If neither SMB switch can do the job, you would need to consider different or additional hardware.  For instance an additional transit device between the switches, such as even as an inexpensive consumer grade FW.

0 Helpful

dk-one
Level 1
Level 1
In response to Joseph W. Doherty

‎11-13-2024 05:34 PM

I just tried it via CLI on the SX350X: unfortunately, it doesn't support it either. We should have bought higher-end switches. But now it's too late. I think I'll place a firewall between the connections.

Thank you for your help, Joseph

0 Helpful

dk-one
Level 1
Level 1
In response to Joseph W. Doherty

‎11-14-2024 02:16 AM

Joseph, I found this in the GUI of the CBS. Can I realize establish with these TCP settings?

 

image.png

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dk-one

‎11-14-2024 05:12 AM

Yes, I believe so.  That's exactly the part of the GUI I was alluding to!

You would define two entries, one that matches ACK and one that matches RST.  (You would match by selecting set option.  Everything else, don't care.)

Basically the established keyword would match either, in one entry, which possibly is why it's not supported.  Matching on two entries should provide the same result.

BTW, glad you asked.  I had thought to ask why you didn't want to pursue using the GUI, but assumed you just didn't.

It would be interesting to see how device renders this GUI feature in the CLI.

0 Helpful

dk-one
Level 1
Level 1
In response to Joseph W. Doherty

‎11-14-2024 06:01 AM

Wow! It works like a charm!

It's rendered to:

ip access-list extended SampleEstablished
permit tcp any any any any match-all +ack ace-priority 1
permit tcp any any any any match-all +rst ace-priority 2
permit icmp any any any any ace-priority 3
deny ip any any ace-priority 99

 

Is it reckless to allow ICMP (ping) in both directions, or is there no risk involved if TCP traffic from the 192.168.1.0/24 network is blocked

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dk-one

‎11-14-2024 06:29 AM

"Wow! It works like a charm!"

Yeah!!!

"Is it reckless to allow ICMP (ping) in both directions, or is there no risk involved if TCP traffic from the 192.168.1.0/24 network is blocked"

"Reckless" is a matter of degree; much depends on what must be allowed to meet your operational goals.  Don't forget, ICMP supports much more than ping.  (Also keep in mind what the acronym stands for.)

For example, if you wish your admin network hosts be able to ping out, not not the converse, you can restrict external ingress ICMP be limited to just ping replies.  You could further restrict what IPs are allowed to ping out and/or accept ping replies.

0 Helpful

dk-one
Level 1
Level 1
In response to Joseph W. Doherty

‎11-14-2024 07:26 AM

Joseph, could you please help me define this once again? Specifically, so that I only allow incoming responses to pings?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card