Solved: Re: ACLs on CBS250

John85 · ‎06-19-2022

Hi! I'm trying to create some ACLs without success so far.

I have 2 VLANs, a server VLAN (101) and a clients VLAN (100).

I want the hosts in the clients VLAN to access the HTTP /HTTPS services on the servers of server VLAN. There must be a flaw in my logic...

So I have created an ACL on the servers' VLAN (101):

ip access-list extended "Servers"
permit tcp 192.168.100.0 0.0.0.255 any 192.168.101.0 0.0.0.255 80 ace-priority 9 log-input
permit tcp 192.168.100.0 0.0.0.255 any 192.168.101.0 0.0.0.255 443 ace-priority 10 log-input
exit

And I have bind the ACL on the server VLAN (default action in the GUI is "deny"):

interface vlan 101
name "Servers"
ip address 192.168.101.1 255.255.255.0
ip dhcp relay enable
service-acl input "Servers"

Any ideas?

Thank you

KJK99 · ‎06-24-2022

I own a pair of CBS350s, but I believe CBS250s work in a very similar way. Based on my somewhat limited experience with ACL, I think that in addition to ACEs permitting HTTP/HTTPS requests you also need ACEs permitting replies to them. Try adding two more ACEs like this.

permit tcp 192.168.101.0 0.0.0.255 80 192.168.100.0 0.0.0.255 any ace-priority 11 log-input
permit tcp 192.168.101.0 0.0.0.255 443 192.168.100.0 0.0.0.255 any ace-priority 12 log-input

Unlike firewall rules, ACEs are not stateful. Well, at least not on these switches. “service-acl” just means that an access list is applied on a SVI.

Kris K

View solution in original post

balaji.bandi · ‎06-19-2022

If you do not like anything allowed you need to have final rule deny any

And I have bind the ACL on the server VLAN (default action in the GUI is "deny"):

This should be allowed to allow.

example for reference video :

https://www.youtube.com/watch?v=08T4Ovw7O48

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

John85 · ‎06-19-2022

Thank you for the quick reply but can you explain me the difference between the two modes?

I have seen the video and I thought that I can inverse the logic but I don’t see the point since
what I want is a restricted network with very specific flows only and no Internet access.

So an ACL must have only the necessary permit flows and the last must be a deny all which must be added implicitly by the mode setting…

balaji.bandi · ‎06-20-2022

what I want is a restricted network with very specific flows only and no Internet access.

yes, you only allow what you need end deny any, so only VLAN to VLAN traffic is allowed. rest will be denied.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda · ‎06-20-2022

Hi

What is the problem? The traffic is not being blocked?

You logic seems right, you need to allow what you want and the implicit deny will take care of the rest.

John85 · ‎06-21-2022

The ACEs above are not working. Are they correct?

They should permit HTTP/HTTPS connections from 192.168.100.0/24 to 192.168.101.0/24 but they are not. That's the problem.

The ACEs bellow are working:

permit udp 192.168.101.0 0.0.0.255 any 192.168.102.3 0.0.0.0 domain ace-priority 5 log-input

permit tcp 192.168.101.0 0.0.0.255 any 192.168.102.3 0.0.0.0 domain ace-priority 6 log-input

I see that "service-acl" has two configuration modes: "input" (ingress traffic) & "output" (egress traffic). The ACEs created by the Web UI are all "input". "Input" seems the right choice here but then I wonder why the 'domain' ACEs are working...

Thank you in advance!

balaji.bandi · ‎06-21-2022

I see that "service-acl" has two configuration modes: "input" (ingress traffic) & "output" (egress traffic). The ACEs created by the Web UI are all "input".  "Input" seems the right choice here but then I wonder why the 'domain' ACEs are working...

You need to add end deny implicit rule,.

“INPUT”: all packets coming into the chassis from the wire on that interface / VLAN Interface.

“OUTPUT”: all packets going out of the chassis on the wire on that interface / VLAN Interface.

So make sure you tag them as expected (if that is not working reverse and test it).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

John85 · ‎06-21-2022

I entered in configuration mode and I see that "service-acl" in my CBS250 supports only input mode...

John85 · ‎06-22-2022

To avoid any misconceptions, can you explain me the whole logic?

The “permit | deny source destination” is very clear but how the “service-acl” mode is affecting it?

In my case it seems that permit is not working for incoming traffic but why?

thank you in advance

KJK99 · ‎06-24-2022

I own a pair of CBS350s, but I believe CBS250s work in a very similar way. Based on my somewhat limited experience with ACL, I think that in addition to ACEs permitting HTTP/HTTPS requests you also need ACEs permitting replies to them. Try adding two more ACEs like this.

permit tcp 192.168.101.0 0.0.0.255 80 192.168.100.0 0.0.0.255 any ace-priority 11 log-input
permit tcp 192.168.101.0 0.0.0.255 443 192.168.100.0 0.0.0.255 any ace-priority 12 log-input

Unlike firewall rules, ACEs are not stateful. Well, at least not on these switches. “service-acl” just means that an access list is applied on a SVI.

Kris K

John85 · ‎06-26-2022

That was it! Thank you all for your time especially KJK99!

One last question: Since an ACL is bind to a specific network, is it necessary to specify that network in the ACEs? i.e. instead of seting 192.168.101.0, just use "any".

e.g:

permit tcp 192.168.100.0 0.0.0.255 any any 80 ace-priority 9 log-input