cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
432
Views
0
Helpful
7
Replies
Highlighted
Beginner

ACL on SVI

Hello all. I need to restrict access to a Vlan on the network. I have applied the "outbound" ACL to the Vlans SVI. After applying the ACL to the SVI, servers on that vlan can't talk out to other networks. After some testing it looks like return traffic; sourced from inside the Vlan, is being blocked. Is this expected behavior? Is it possible to create a stateful ACL? Thanks in advance for any ideas and or help!  

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

 

Yes it is expected behaviour because router acls don't keep state.

 

If the connections are all TCP (unlikely) you could look to use the "established" keyword in your acl. 

 

The alternative as you mention is to use acls that keep state, reflexive acls do this but have limited support on switches, or, again if your device supports it, firewall functionality eg. CBAC, ZBFW. 

 

Jon

 

View solution in original post

7 REPLIES 7
Highlighted
VIP Advisor

Hi @no_prop,

 

Could you show us the configured ACL and its application?

 

Regards

Highlighted

Hey @luis_cordova.

Thanks for taking a look. 

 

Both Vcenter and  UCS_Internal_Management are object groups in Vlan22. UCS_Internal_Management is an object group for Vlan 22's subnet. The other groups are hosts and subnets not in vlan 22. None of the servers can communicate outside the vlan except to hosts and addresses included in an object group defined below. Adding the line permit ip any addrgroup UCS_Internal_Management... allows traffic to exit the network/VLAN22 and obviously defeats the purpose of the ACL.  

Thanks again for looking.

 

IP access list Vcenter_ACL

        10 permit ip addrgroup Vcenter any

        20 permit ip addrgroup Server_Team any

        30 permit ip addrgroup Veeam_System any

        40 permit ip addrgroup Radius_ISE any

        60 permit ip addrgroup UCS_Internal_Management any

        70 permit ip addrgroup SNMP any

        80 permit ip addrgroup UCS_Systems addrgroup Vcenter

        90 permit ip addrgroup PURE_Array addrgroup Vcenter

        100 permit ip addrgroup Unity_Array addrgroup Vcenter

        110 permit ip addrgroup 8th_Floor addrgroup Vcenter

 

Interface Vlan22

ip access-group Vcenter_ACL out

Highlighted

Hi @no_prop,

 

Sorry, but I do not understand what you tell me.

You could make a simple logical topology and attach it. Also, you could indicate in it what you need to do.

 

Regards

Highlighted

Adding to other post Check this thread may help you:

 

https://community.cisco.com/t5/switching/pls-explain-svi-acl-source-and-destination-direction/td-p/2365577/page/2

 

BB
*** Rate All Helpful Responses ***
Highlighted

Hello


@no_prop wrote:

Hey @luis_cordova.

Thanks for taking a look. 

 

Both Vcenter and  UCS_Internal_Management are object groups in Vlan22. UCS_Internal_Management is an object group for Vlan 22's subnet. The other groups are hosts and subnets not in vlan 22. None of the servers can communicate outside the vlan except to hosts and addresses included in an object group defined below. Adding the line permit ip any addrgroup UCS_Internal_Management... allows traffic to exit the network/VLAN22 and obviously defeats the purpose of the ACL.  

Thanks again for looking.

 

IP access list Vcenter_ACL

        10 permit ip addrgroup Vcenter any

        20 permit ip addrgroup Server_Team any

        30 permit ip addrgroup Veeam_System any

        40 permit ip addrgroup Radius_ISE any

        60 permit ip addrgroup UCS_Internal_Management any

        70 permit ip addrgroup SNMP any

        80 permit ip addrgroup UCS_Systems addrgroup Vcenter

        90 permit ip addrgroup PURE_Array addrgroup Vcenter

        100 permit ip addrgroup Unity_Array addrgroup Vcenter

        110 permit ip addrgroup 8th_Floor addrgroup Vcenter

 

Interface Vlan22

ip access-group Vcenter_ACL out


Please note the established keyword would be only applicable for tcp, Have a look at the example below to deny your subnets to initiate tcp connection towards vlan22 but to be allowed connection if an established tcp connection from within vlan 22 is initiated.

IP access list Vcenter_ACL
permit tcp Vcenter any established
deny tcp Vcenter any
permit tcp Veeam_System any established
deny tcp Veeam_System any
permit tcp Radius_ISEany established
deny tcp Radius_ISEany
etc.....
permit ip any any


int vlan 22
ip access-group Vcenter_ACL out

 

 

 

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Hall of Fame Guru

 

Yes it is expected behaviour because router acls don't keep state.

 

If the connections are all TCP (unlikely) you could look to use the "established" keyword in your acl. 

 

The alternative as you mention is to use acls that keep state, reflexive acls do this but have limited support on switches, or, again if your device supports it, firewall functionality eg. CBAC, ZBFW. 

 

Jon

 

View solution in original post

Highlighted

Thanks @Jon Marshall

 

We have N77ks in our data center and is where the traffic needs to be filtered. Thanks again. 

Content for Community-Ad