Solved: ACL Applied to SVI

mwood000111 · ‎12-11-2018

I have created an SVI (on a Cat 9300 that is collapsed and works as an Access and Core switch for small remote office) and applied ACLs inbound and outbound to restrict traffic to/from the devices in that particular VLAN. The ACL partially works as ICMP and TCP work accordingly and establish session just fine but in DNS, not able to be resolved although I have an entry allowing the response to the query, back in. Config below:

ip access-list extended DMZ_in
5 permit tcp host 10.5.41.83 10.5.78.0 0.0.0.255
10 permit udp host 10.5.4.33 10.5.78.0 0.0.0.255 eq domain
11 permit udp host 10.5.41.33 10.5.78.0 0.0.0.255 eq domain
15 permit udp host 10.5.4.33 10.5.78.0 0.0.0.255 eq ntp
16 permit udp host 10.5.41.33 10.5.78.0 0.0.0.255 eq ntp
20 permit icmp host 10.5.41.83 10.5.78.0 0.0.0.255
25 permit tcp host 212.227.81.55 10.5.78.0 0.0.0.255
30 permit tcp host 172.217.10.106 10.5.78.0 0.0.0.255
100 deny ip any 10.5.78.0 0.0.0.255
exit

ip access-list extended DMZ_out
5 permit tcp 10.5.78.0 0.0.0.255 host 10.5.41.83
10 permit udp 10.5.78.0 0.0.0.255 host 10.5.4.33 eq domain
11 permit udp 10.5.78.0 0.0.0.255 host 10.5.41.33 eq domain
15 permit udp 10.5.78.0 0.0.0.255 host 10.5.4.33 eq ntp
16 permit udp 10.5.78.0 0.0.0.255 host 10.5.41.33 eq ntp
20 permit icmp 10.5.78.0 0.0.0.255 host 10.5.41.83
25 permit tcp 10.5.78.0 0.0.0.255 host 212.227.81.55
30 permit tcp 10.5.78.0 0.0.0.255 host 172.217.10.106
100 deny ip 10.5.78.0 0.0.0.255 any
exit

int vlan 78
descr DMZ
ip add 10.5.78.2 255.255.255.0
ip helper-address 10.5.4.33
standby 78 ip 10.5.78.1
standby 78 preempt
standby 78 priority 150
ip access-group DMZ_out in
ip access-group DMZ_in out
no shut

Packet capture on interface below:

423 0.000966 10.5.78.5 -> 10.5.41.33 DNS 74 Standard query 0x7b5e A gejgsqzpylniis
424 0.000968 10.5.78.5 -> 10.5.41.33 DNS 91 Standard query 0x3b86 A gejgsqzpylniis.xxxxxx.COM
425 0.000970 10.5.78.5 -> 10.5.4.33 DNS 74 Standard query 0x7b5e A gejgsqzpylniis
426 0.000974 10.5.78.5 -> 10.5.4.33 DNS 91 Standard query 0x3b86 A gejgsqzpylniis.xxxxx.COM

Never see a response back, even if its a, no such name. But when I adjust the ACL and only apply for traffic coming in to SVI, ip access-group DMZ_out in, DNS is able to resolve. Any thoughts? I do need to restrict traffic both ways even though I cant send ICMP or SSH to those 10.5.78.x addresses in current config. It seems to be working but I am not certain its working as intended. Thanks.

paul driver · ‎12-11-2018

Hello

@mwood000111 wrote:

Never see a response back, even if its a, no such name. But when I adjust the ACL and only apply for traffic coming in to SVI, ip access-group DMZ_out in, DNS is able to resolve. Any thoughts? I do need to restrict traffic both ways even though I cant send ICMP or SSH to those 10.5.78.x addresses in current config. It seems to be working but I am not certain its working as intended. Thanks.

First of all the logic on a svi differs
IN= traffic originating from within the vlan

Out = traffic originating from outside towards vlan

So having the acl just on the IN should be fine.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎12-11-2018