Re: access -list (ACL) block UDP traffice one way?

Saichon Iamraor · ‎11-28-2019

I want to block udp traffic initiate from vlan2 to vlan1
and allow udp traffic initate from vlan1 to vlan2

Can I block udp traffic on-way direction?

Richard Burts · ‎11-29-2019

To deny udp traffic initiated from vlan 2 to vlan 1 while allowing udp traffic from vlan 1 to vlan 2 is complicated. It can be done for tcp traffic by looking at the flags inside the packet to determine whether this is a response. But udp does not provide that capability. How to do this, and even whether this is possible, depends on what platform you want to do this on. You can not do this with a normal extended access list which denies udp traffic with source of vlan 2 and destination of vlan 1 because this would deny vlan 2 responses to udp initiated from vlan 1. So you need something that does stateful examination of the traffic and can determine whether the udp traffic is something initiated from vlan 1 (permitted) or initiated from vlan 2 (denied). On some platforms like the ASA it is easier to do this stateful inspection and to allow vlan 1 to initiate udp to vlan 2 while denying udp initiated from vlan 2 to vlan1. On other platforms you may be able to achieve it with inspection and reflexive access lists.

HTH

Rick

HTH

Rick

Saichon Iamraor · ‎12-01-2019

Saichon Iamraor · ‎12-01-2019

Thank you Rick

paul driver · ‎12-02-2019

Hello

Can you carify what device is perfroming the inter-vlan routing, L3 switch,Router or Firewall if any of the latter two then i would say somethig like CBAC a possiblity???

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎11-29-2019

If you want to stop ALL UDP traffic from VLAN 2 to VLAN 1 and conversely allow ALL UDP traffic from VLAN 1 to VLAN 2, that's simple.

However, as you mention "initiate", if you want UDP VLAN 1 traffic allowed to VLAN 2 to also allow a reply or response from VLAN 2 to VLAN 1, from the traffic that originally was started/initiated on VLAN 1, then as Rick notes, you need some kind of stateful inspection (which "remembers" what went from VLAN 1 to VLAN 2 and will accept a "mirror" reply). If the reply isn't a "mirror", it would be very difficult to accomplish.

For example:
VLAN 1 sending to VLAN 2:
UDP 192.168.1.5:50 192.162.2.2:20
might allow back
UDP 192.162.2.2:20 192.168.1.5:50

Besides being a "mirror", there's usually a "timer" running, i.e. a response beyond some time limit will be rejected.

Saichon Iamraor · ‎12-01-2019

Saichon Iamraor · ‎12-01-2019

@Joseph W. Doherty wrote:
If you want to stop ALL UDP traffic from VLAN 2 to VLAN 1 and conversely allow ALL UDP traffic from VLAN 1 to VLAN 2, that's simple.

However, as you mention "initiate", if you want UDP VLAN 1 traffic allowed to VLAN 2 to also allow a reply or response from VLAN 2 to VLAN 1, from the traffic that originally was started/initiated on VLAN 1, then as Rick notes, you need some kind of stateful inspection (which "remembers" what went from VLAN 1 to VLAN 2 and will accept a "mirror" reply). If the reply isn't a "mirror", it would be very difficult to accomplish.

For example:
VLAN 1 sending to VLAN 2:
UDP 192.168.1.5:50 192.162.2.2:20
might allow back
UDP 192.162.2.2:20 192.168.1.5:50

Besides being a "mirror", there's usually a "timer" running, i.e. a response beyond some time limit will be rejected.

If you want to stop ALL UDP traffic from VLAN 2 to VLAN 1 and conversely allow ALL UDP traffic from VLAN 1 to VLAN 2, that's simple. << If I want this please give me for example ....

Richard Burts · ‎12-02-2019

We are working from different assumptions in this discussion. I began by saying that "To deny udp traffic initiated from vlan 2 to vlan 1 while allowing udp traffic from vlan 1 to vlan 2 is complicated." and @Joseph W. Doherty begins by saying that this is simple. The explanation for this difference is that we are looking at the question from different perspectives. Joseph is taking the literal approach about denying vlan 2 udp traffic from going to vlan 1. In his suggestion vlan 2 uses network 192.168.2.0 and vlan 1 uses network 192.168.1.0. So if you configure this access list

access-list 101 deny udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip any any

interface vlan 2

ip access-group 101 in

you would achieve the requirement. No udp traffic from vlan 2 could go to vlan 1. That is indeed pretty simple.

I was taking a broader view of the requirement in assuming that if you want to permit udp from vlan 1 to vlan 2 then you would also want responses from vlan 2 to go to vlan 1. And the simple ACL 101 does not permit that.

So the original poster needs to clarify what is really the requirement here? Is it to just block udp from vlan 2 to vlan 1? Or is it that vlan 1 should originate udp to vlan 2 and receive responses while vlan 2 originated to vlan 1 is denied? One is simple and one is complicated. So in a sense both Joseph and I are correct.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎12-02-2019

"If I want this please give me for example ...."

Rick's latest posting provides an example. If you need more, feel free to ask.