02-14-2019 01:43 PM - edited 03-08-2019 05:20 PM
Hello all. I need to restrict access to a Vlan on the network. I have applied the "outbound" ACL to the Vlans SVI. After applying the ACL to the SVI, servers on that vlan can't talk out to other networks. After some testing it looks like return traffic; sourced from inside the Vlan, is being blocked. Is this expected behavior? Is it possible to create a stateful ACL? Thanks in advance for any ideas and or help!
Solved! Go to Solution.
02-15-2019 01:21 AM
Yes it is expected behaviour because router acls don't keep state.
If the connections are all TCP (unlikely) you could look to use the "established" keyword in your acl.
The alternative as you mention is to use acls that keep state, reflexive acls do this but have limited support on switches, or, again if your device supports it, firewall functionality eg. CBAC, ZBFW.
Jon
02-14-2019 01:46 PM
02-14-2019 02:12 PM
Hey @luis_cordova.
Thanks for taking a look.
Both Vcenter and UCS_Internal_Management are object groups in Vlan22. UCS_Internal_Management is an object group for Vlan 22's subnet. The other groups are hosts and subnets not in vlan 22. None of the servers can communicate outside the vlan except to hosts and addresses included in an object group defined below. Adding the line permit ip any addrgroup UCS_Internal_Management... allows traffic to exit the network/VLAN22 and obviously defeats the purpose of the ACL.
Thanks again for looking.
IP access list Vcenter_ACL
10 permit ip addrgroup Vcenter any
20 permit ip addrgroup Server_Team any
30 permit ip addrgroup Veeam_System any
40 permit ip addrgroup Radius_ISE any
60 permit ip addrgroup UCS_Internal_Management any
70 permit ip addrgroup SNMP any
80 permit ip addrgroup UCS_Systems addrgroup Vcenter
90 permit ip addrgroup PURE_Array addrgroup Vcenter
100 permit ip addrgroup Unity_Array addrgroup Vcenter
110 permit ip addrgroup 8th_Floor addrgroup Vcenter
Interface Vlan22
ip access-group Vcenter_ACL out
02-14-2019 03:56 PM
Hi @no_prop,
Sorry, but I do not understand what you tell me.
You could make a simple logical topology and attach it. Also, you could indicate in it what you need to do.
Regards
02-14-2019 09:47 PM
Adding to other post Check this thread may help you:
02-15-2019 01:36 AM - edited 02-15-2019 01:38 AM
Hello
@no_prop wrote:
Hey @luis_cordova.
Thanks for taking a look.
Both Vcenter and UCS_Internal_Management are object groups in Vlan22. UCS_Internal_Management is an object group for Vlan 22's subnet. The other groups are hosts and subnets not in vlan 22. None of the servers can communicate outside the vlan except to hosts and addresses included in an object group defined below. Adding the line permit ip any addrgroup UCS_Internal_Management... allows traffic to exit the network/VLAN22 and obviously defeats the purpose of the ACL.
Thanks again for looking.
IP access list Vcenter_ACL
10 permit ip addrgroup Vcenter any
20 permit ip addrgroup Server_Team any
30 permit ip addrgroup Veeam_System any
40 permit ip addrgroup Radius_ISE any
60 permit ip addrgroup UCS_Internal_Management any
70 permit ip addrgroup SNMP any
80 permit ip addrgroup UCS_Systems addrgroup Vcenter
90 permit ip addrgroup PURE_Array addrgroup Vcenter
100 permit ip addrgroup Unity_Array addrgroup Vcenter
110 permit ip addrgroup 8th_Floor addrgroup Vcenter
Interface Vlan22
ip access-group Vcenter_ACL out
Please note the established keyword would be only applicable for tcp, Have a look at the example below to deny your subnets to initiate tcp connection towards vlan22 but to be allowed connection if an established tcp connection from within vlan 22 is initiated.
IP access list Vcenter_ACL
permit tcp Vcenter any established
deny tcp Vcenter any
permit tcp Veeam_System any established
deny tcp Veeam_System any
permit tcp Radius_ISEany established
deny tcp Radius_ISEany
etc.....
permit ip any any
int vlan 22
ip access-group Vcenter_ACL out
02-15-2019 01:21 AM
Yes it is expected behaviour because router acls don't keep state.
If the connections are all TCP (unlikely) you could look to use the "established" keyword in your acl.
The alternative as you mention is to use acls that keep state, reflexive acls do this but have limited support on switches, or, again if your device supports it, firewall functionality eg. CBAC, ZBFW.
Jon
02-15-2019 09:07 AM
Thanks @Jon Marshall
We have N77ks in our data center and is where the traffic needs to be filtered. Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide