To deny udp traffic initiated from vlan 2 to vlan 1 while allowing udp traffic from vlan 1 to vlan 2 is complicated. It can be done for tcp traffic by looking at the flags inside the packet to determine whether this is a response. But udp does not provide that capability. How to do this, and even whether this is possible, depends on what platform you want to do this on. You can not do this with a normal extended access list which denies udp traffic with source of vlan 2 and destination of vlan 1 because this would deny vlan 2 responses to udp initiated from vlan 1. So you need something that does stateful examination of the traffic and can determine whether the udp traffic is something initiated from vlan 1 (permitted) or initiated from vlan 2 (denied). On some platforms like the ASA it is easier to do this stateful inspection and to allow vlan 1 to initiate udp to vlan 2 while denying udp initiated from vlan 2 to vlan1. On other platforms you may be able to achieve it with inspection and reflexive access lists.
Can you carify what device is perfroming the inter-vlan routing, L3 switch,Router or Firewall if any of the latter two then i would say somethig like CBAC a possiblity???
@Joseph W. Doherty wrote:
If you want to stop ALL UDP traffic from VLAN 2 to VLAN 1 and conversely allow ALL UDP traffic from VLAN 1 to VLAN 2, that's simple.
However, as you mention "initiate", if you want UDP VLAN 1 traffic allowed to VLAN 2 to also allow a reply or response from VLAN 2 to VLAN 1, from the traffic that originally was started/initiated on VLAN 1, then as Rick notes, you need some kind of stateful inspection (which "remembers" what went from VLAN 1 to VLAN 2 and will accept a "mirror" reply). If the reply isn't a "mirror", it would be very difficult to accomplish.
VLAN 1 sending to VLAN 2:
UDP 192.168.1.5:50 18.104.22.168:20
might allow back
UDP 22.214.171.124:20 192.168.1.5:50
Besides being a "mirror", there's usually a "timer" running, i.e. a response beyond some time limit will be rejected.
If you want to stop ALL UDP traffic from VLAN 2 to VLAN 1 and conversely allow ALL UDP traffic from VLAN 1 to VLAN 2, that's simple. << If I want this please give me for example ....
We are working from different assumptions in this discussion. I began by saying that "To deny udp traffic initiated from vlan 2 to vlan 1 while allowing udp traffic from vlan 1 to vlan 2 is complicated." and @Joseph W. Doherty begins by saying that this is simple. The explanation for this difference is that we are looking at the question from different perspectives. Joseph is taking the literal approach about denying vlan 2 udp traffic from going to vlan 1. In his suggestion vlan 2 uses network 192.168.2.0 and vlan 1 uses network 192.168.1.0. So if you configure this access list
access-list 101 deny udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
interface vlan 2
ip access-group 101 in
you would achieve the requirement. No udp traffic from vlan 2 could go to vlan 1. That is indeed pretty simple.
I was taking a broader view of the requirement in assuming that if you want to permit udp from vlan 1 to vlan 2 then you would also want responses from vlan 2 to go to vlan 1. And the simple ACL 101 does not permit that.
So the original poster needs to clarify what is really the requirement here? Is it to just block udp from vlan 2 to vlan 1? Or is it that vlan 1 should originate udp to vlan 2 and receive responses while vlan 2 originated to vlan 1 is denied? One is simple and one is complicated. So in a sense both Joseph and I are correct.