Solved: ACL applied on Switch SVI blocks traffic the other way round

TsadikuBahiru78025 · ‎11-23-2022

I was applying an access list on a switch SVI on nexus 9300 series switch but when I apply the access list on the out direction of the SVI it blocks traffics to the servers on the VLAN and that's want I want and perfect but the problem is it blocks traffics originating from the VLAN. Please help on this.

TsadikuBahiru78025 · ‎11-24-2022

Hello Advisor,

Additional information, the ACL drops an independent traffic which is orginating from the server itself not an established traffic from outside to servers.

View solution in original post

balaji.bandi · ‎11-24-2022

ACL basic rules of access-list :

IN = Traffic originating from within the vlan interface
OUT = Traffic coming from outside vlan interface

still have an issue post the config.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TsadikuBahiru78025 · ‎11-24-2022

Here is the config

IP access list Access-to-VLAN118
40 permit tcp addrgroup FROM_OUT_TO_MAIL addrgroup Mail-Servers portgroup Mail-ports
41 permit tcp addrgroup ALL_BOA_NET addrgroup Mail-Servers portgroup Mail-ports
42 permit ip addrgroup CDE_VLANS any
43 deny ip any addrgroup Mail-Servers
44 permit ip any any

interface Vlan118
description INFRASTRACTURE SERVICE
no shutdown
mtu 9216
vrf member DATACENTER
ip access-group Access-to-VLAN118 out
no ip redirects
ip address 192.1.18.2/24
no ipv6 redirects
vrrpv3 10 address-family ipv4
address 10.1.18.1 primary

object-group ip address Mail-Servers
10 host 192.1.18.16
20 host 192.1.18.23
30 host 192.1.18.26
40 host 192.1.18.27

MHM Cisco World · ‎11-24-2022

OUT must work but where is portgroup <object-group> you use ???

TsadikuBahiru78025 · ‎11-24-2022

I didn't get the question.

40 permit tcp addrgroup FROM_OUT_TO_MAIL addrgroup Mail-Servers portgroup Mail-ports
41 permit tcp addrgroup ALL_BOA_NET addrgroup Mail-Servers portgroup Mail-ports

we use this access list to restrict access to the mail servers to this allowed ports only

object-group ip port Mail-ports
eq 143
eq 443
eq 993
eq 25

MHM Cisco World · ‎11-24-2022

deny traffic originate from Server.
Server-SVI-Client(outside)

the Client initiate the traffic the traffic will pass through ACL OUT no issue

the Server initiate the traffic the traffic will pass through SVI because there is no ACL IN apply to SVI
BUT
the return traffic to Server (the traffic that server initiate it) must allow by ACL OUT

so which traffic you notice it drop by ACL OUT ??

balaji.bandi · ‎11-24-2022

Can you define is what is dropping ? (what is the source IP)

43 deny ip any addrgroup Mail-Servers - other than permit rest all denied as per this rule ?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Deepak Kumar · ‎11-24-2022

Hello,

Kindly provide all groups and ACL (for this question) also tell us who is the server and who is another device. And where to where is it blocking?

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

TsadikuBahiru78025 · ‎11-24-2022

Here is the scenario

TsadikuBahiru78025 · ‎11-24-2022

object-group ip address ALL_BOA_NET
host 192.0.0.0/8

=================================================

object-group ip address FROM_OUT_TO_MAIL
host 10.1.1.21
host 10.1.1.23
host 10.1.12.38
host 10.1.12.39
host 10.1.12.51
host 10.1.39.197
host 10.1.39.51
host 10.1.39.70
host 10.100.2.101
host 10.100.2.199
host 10.100.2.98
host 10.100.2.99
host 10.101.13.200
host 10.101.14.142
host 10.101.14.150
host 10.101.14.151
host 10.101.14.20
host 10.101.14.70
host 10.101.2.100
host 10.101.2.175
host 10.101.2.176
host 10.101.2.178
host 10.101.2.180
host 10.101.2.200
host 10.101.2.211
host 10.101.2.30
host 10.101.2.45
host 10.101.2.51
host 10.101.2.61
host 10.101.2.70
host 10.2.2.35
host 10.3.26.30
host 10.3.28.46
host 10.3.39.51
host 10.4.2.67
host 172.20.18.44
host 172.20.18.26
host 172.20.18.62
host 172.20.18.95
host 172.20.22.30
host 172.20.22.31
host 172.21.13.95
host 172.21.13.96
host 192.168.150.12

MHM Cisco World · ‎11-24-2022

I am Now finish my last point about the FW with ACL, so I think I have solution here

Server-SVI ACL(OUT)-Client (outside)
traffic initiate from the client pass through ACL OUT no problem

traffic initiate from the Server need to return back through ACL OUT and it drop, so we need to add line the make only return back traffic to Server without open ACL, this can be done by add established keyword.

Note:- this solution only for TCP traffic.

TsadikuBahiru78025 · ‎11-24-2022

Hello Advisor,

Thank you indeed for the information but where should I apply the keyword I mean on the existing (out) access list or I should write another access list for the (in)?

MHM Cisco World · ‎11-24-2022

permit tcp any any establish <<- add this line to ACL OUT, and check

again this solution only for TCP traffic.

TsadikuBahiru78025 · ‎11-24-2022

Hello Advisor,

Additional information, the ACL drops an independent traffic which is orginating from the server itself not an established traffic from outside to servers.

MHM Cisco World · ‎11-24-2022

the number we add line is important which come after the traffic initiate from client.
NOTE:- when we deal with ACL we do test for all case

IP access list Access-to-VLAN118
40 permit tcp addrgroup FROM_OUT_TO_MAIL addrgroup Mail-Servers portgroup Mail-ports
41 permit tcp addrgroup ALL_BOA_NET addrgroup Mail-Servers portgroup Mail-ports
permit tcp any any establish <<-- it need to add here.
42 permit ip addrgroup CDE_VLANS any
43 deny ip any addrgroup Mail-Servers
44 permit ip any any