cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

224
Views
5
Helpful
9
Replies

access -list (ACL) block UDP traffice one way?

I want to block udp traffic initiate from vlan2 to vlan1
and allow udp traffic initate from vlan1 to vlan2

Can I block udp traffic on-way direction?

9 REPLIES 9
Hall of Fame Master

Re: access -list (ACL) block UDP traffice one way?

To deny udp traffic initiated from vlan 2 to vlan 1 while allowing udp traffic from vlan 1 to vlan 2 is complicated. It can be done for tcp traffic by looking at the flags inside the packet to determine whether this is a response. But udp does not provide that capability. How to do this, and even whether this is possible, depends on what platform you want to do this on. You can not do this with a normal extended access list which denies udp traffic with source of vlan 2 and destination of vlan 1 because this would deny vlan 2 responses to udp initiated from vlan 1. So you need something that does stateful examination of the traffic and can determine whether the udp traffic is something initiated from vlan 1 (permitted) or initiated from vlan 2 (denied). On some platforms like the ASA it is easier to do this stateful inspection and to allow vlan 1 to initiate udp to vlan 2 while denying udp initiated from vlan 2 to vlan1. On other platforms you may be able to achieve it with inspection and reflexive access lists.

 

HTH

 

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders

Re: access -list (ACL) block UDP traffice one way?

 

Re: access -list (ACL) block UDP traffice one way?

Thank you Rick

Highlighted
VIP Advisor

Re: access -list (ACL) block UDP traffice one way?

Hello

Can you carify what device is perfroming the inter-vlan routing,  L3 switch,Router or Firewall if any of the latter two then i would say somethig like CBAC a possiblity???



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
VIP Expert

Re: access -list (ACL) block UDP traffice one way?

If you want to stop ALL UDP traffic from VLAN 2 to VLAN 1 and conversely allow ALL UDP traffic from VLAN 1 to VLAN 2, that's simple.

However, as you mention "initiate", if you want UDP VLAN 1 traffic allowed to VLAN 2 to also allow a reply or response from VLAN 2 to VLAN 1, from the traffic that originally was started/initiated on VLAN 1, then as Rick notes, you need some kind of stateful inspection (which "remembers" what went from VLAN 1 to VLAN 2 and will accept a "mirror" reply). If the reply isn't a "mirror", it would be very difficult to accomplish.

For example:
VLAN 1 sending to VLAN 2:
UDP 192.168.1.5:50 192.162.2.2:20
might allow back
UDP 192.162.2.2:20 192.168.1.5:50

Besides being a "mirror", there's usually a "timer" running, i.e. a response beyond some time limit will be rejected.

Re: access -list (ACL) block UDP traffice one way?

 

Re: access -list (ACL) block UDP traffice one way?


@Joseph W. Doherty wrote:
If you want to stop ALL UDP traffic from VLAN 2 to VLAN 1 and conversely allow ALL UDP traffic from VLAN 1 to VLAN 2, that's simple.

However, as you mention "initiate", if you want UDP VLAN 1 traffic allowed to VLAN 2 to also allow a reply or response from VLAN 2 to VLAN 1, from the traffic that originally was started/initiated on VLAN 1, then as Rick notes, you need some kind of stateful inspection (which "remembers" what went from VLAN 1 to VLAN 2 and will accept a "mirror" reply). If the reply isn't a "mirror", it would be very difficult to accomplish.

For example:
VLAN 1 sending to VLAN 2:
UDP 192.168.1.5:50 192.162.2.2:20
might allow back
UDP 192.162.2.2:20 192.168.1.5:50

Besides being a "mirror", there's usually a "timer" running, i.e. a response beyond some time limit will be rejected.

If you want to stop ALL UDP traffic from VLAN 2 to VLAN 1 and conversely allow ALL UDP traffic from VLAN 1 to VLAN 2, that's simple.  << If I want this please give me for example ....

Hall of Fame Master

Re: access -list (ACL) block UDP traffice one way?

We are working from different assumptions in this discussion. I began by saying that "To deny udp traffic initiated from vlan 2 to vlan 1 while allowing udp traffic from vlan 1 to vlan 2 is complicated." and @Joseph W. Doherty begins by saying that this is simple. The explanation for this difference is that we are looking at the question from different perspectives. Joseph is taking the literal approach about denying vlan 2 udp traffic from going to vlan 1. In his suggestion vlan 2 uses network 192.168.2.0 and vlan 1 uses network 192.168.1.0. So if you configure this access list

access-list 101 deny udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip any any

interface vlan 2

ip access-group 101 in

you would achieve the requirement. No udp traffic from vlan 2 could go to vlan 1. That is indeed pretty simple.

I was taking a broader view of the requirement in assuming that if you want to permit udp from vlan 1 to vlan 2 then you would also want responses from vlan 2 to go to vlan 1. And the simple ACL 101 does not permit that.

 

So the original poster needs to clarify what is really the requirement here? Is it to just block udp from vlan 2 to vlan 1? Or is it that vlan 1 should originate udp to vlan 2 and receive responses while vlan 2 originated to vlan 1 is denied? One is simple and one is complicated. So in a sense both Joseph and I are correct.

 

HTH

 

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders
VIP Expert

Re: access -list (ACL) block UDP traffice one way?

"If I want this please give me for example ...."

Rick's latest posting provides an example. If you need more, feel free to ask.
CreatePlease to create content
Content for Community-Ad