Solved: ACL on SVI

no_prop · ‎02-14-2019

Hello all. I need to restrict access to a Vlan on the network. I have applied the "outbound" ACL to the Vlans SVI. After applying the ACL to the SVI, servers on that vlan can't talk out to other networks. After some testing it looks like return traffic; sourced from inside the Vlan, is being blocked. Is this expected behavior? Is it possible to create a stateful ACL? Thanks in advance for any ideas and or help!

Jon Marshall · ‎02-15-2019

Yes it is expected behaviour because router acls don't keep state.

If the connections are all TCP (unlikely) you could look to use the "established" keyword in your acl.

The alternative as you mention is to use acls that keep state, reflexive acls do this but have limited support on switches, or, again if your device supports it, firewall functionality eg. CBAC, ZBFW.

Jon

View solution in original post

luis_cordova · ‎02-14-2019

Hi @no_prop,

Could you show us the configured ACL and its application?

Regards

no_prop · ‎02-14-2019

Hey @luis_cordova.

Thanks for taking a look.

Both Vcenter and UCS_Internal_Management are object groups in Vlan22. UCS_Internal_Management is an object group for Vlan 22's subnet. The other groups are hosts and subnets not in vlan 22. None of the servers can communicate outside the vlan except to hosts and addresses included in an object group defined below. Adding the line permit ip any addrgroup UCS_Internal_Management... allows traffic to exit the network/VLAN22 and obviously defeats the purpose of the ACL.

Thanks again for looking.

IP access list Vcenter_ACL

10 permit ip addrgroup Vcenter any

20 permit ip addrgroup Server_Team any

30 permit ip addrgroup Veeam_System any

40 permit ip addrgroup Radius_ISE any

60 permit ip addrgroup UCS_Internal_Management any

70 permit ip addrgroup SNMP any

80 permit ip addrgroup UCS_Systems addrgroup Vcenter

90 permit ip addrgroup PURE_Array addrgroup Vcenter

100 permit ip addrgroup Unity_Array addrgroup Vcenter

110 permit ip addrgroup 8th_Floor addrgroup Vcenter

Interface Vlan22

ip access-group Vcenter_ACL out

luis_cordova · ‎02-14-2019

Hi @no_prop,

Sorry, but I do not understand what you tell me.

You could make a simple logical topology and attach it. Also, you could indicate in it what you need to do.

Regards

balaji.bandi · ‎02-14-2019

Adding to other post Check this thread may help you:

https://community.cisco.com/t5/switching/pls-explain-svi-acl-source-and-destination-direction/td-p/2365577/page/2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎02-15-2019

Hello

@no_prop wrote:

Hey @luis_cordova.

Thanks for taking a look.

Both Vcenter and  UCS_Internal_Management are object groups in Vlan22. UCS_Internal_Management is an object group for Vlan 22's subnet. The other groups are hosts and subnets not in vlan 22. None of the servers can communicate outside the vlan except to hosts and addresses included in an object group defined below. Adding the line permit ip any addrgroup UCS_Internal_Management... allows traffic to exit the network/VLAN22 and obviously defeats the purpose of the ACL.

Thanks again for looking.

IP access list Vcenter_ACL

10 permit ip addrgroup Vcenter any

        20 permit ip addrgroup Server_Team any

        30 permit ip addrgroup Veeam_System any

        40 permit ip addrgroup Radius_ISE any

        60 permit ip addrgroup UCS_Internal_Management any

        70 permit ip addrgroup SNMP any

        80 permit ip addrgroup UCS_Systems addrgroup Vcenter

        90 permit ip addrgroup PURE_Array addrgroup Vcenter

        100 permit ip addrgroup Unity_Array addrgroup Vcenter

        110 permit ip addrgroup 8th_Floor addrgroup Vcenter

Interface Vlan22

ip access-group Vcenter_ACL out

Please note the established keyword would be only applicable for tcp, Have a look at the example below to deny your subnets to initiate tcp connection towards vlan22 but to be allowed connection if an established tcp connection from within vlan 22 is initiated.

IP access list Vcenter_ACL
permit tcp Vcenter any established
deny tcp Vcenter any
permit tcp Veeam_System any established
deny tcp Veeam_System any
permit tcp Radius_ISEany established
deny tcp Radius_ISEany
etc.....
permit ip any any

int vlan 22
ip access-group Vcenter_ACL out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jon Marshall · ‎02-15-2019

Yes it is expected behaviour because router acls don't keep state.

If the connections are all TCP (unlikely) you could look to use the "established" keyword in your acl.

The alternative as you mention is to use acls that keep state, reflexive acls do this but have limited support on switches, or, again if your device supports it, firewall functionality eg. CBAC, ZBFW.

Jon

no_prop · ‎02-15-2019

Thanks @Jon Marshall

We have N77ks in our data center and is where the traffic needs to be filtered. Thanks again.