Solved: Re: ACLs for One Way VLAN Traffic across Switch (TCP Established)

InquiringTech · ‎08-08-2023

So this all takes place on a Catalyst 9200 Layer 3 switch, where VLANs have virtual interfaces (SVIs). I have several networks of 10.1.x.x that are our main data subnets (VLANs 25, 26, 29, 30). There is a lab network (VLAN 20) at 172.16.20.0 /24 that I want the other networks to be able to access or initiate connections to, but not vice-versa from the lab network out the others. For example I didn't want to enable pinging and RDP sessions from the VLAN 20 network to the others, but vice-versa is okay. I tried setting up some ACLs but they doesn't seem to be doing what I want:

Extended IP access list established_tcp
10 permit tcp 10.1.0.0 0.0.255.255 172.16.20.0 0.0.0.255 established
20 deny tcp 172.16.20.0 0.0.0.255 10.1.0.0 0.0.255.255 
30 permit ip any any

Extended IP access list icmp_across_vlan
10 permit icmp 10.1.0.0 0.0.255.255 172.16.20.0 0.0.0.255 echo
20 permit icmp 10.1.0.0 0.0.255.255 172.16.20.0 0.0.0.255 echo-reply
25 deny icmp 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255 (10 matches)
30 permit ip any any

Then I went into the config for the SVI 'int vlan 20' and entered

ip access-group established_tcp in

ip access-group icmp_across_vlan in

But this prevents pings from either side, not just from the Vlan 20 side. Also, somehow RDP sessions still are able to work even from the Vlan 20 when they're not supposed to. Not sure what's wrong here. I even tried modifying the second line in the first ACL to be '20 deny tcp 172.16.20.0 0.0.0.255 10.1.0.0 0.0.255.255 eq 3389' to explicitly specify RDP (although I want to cover all TCP), and it still didn't block it.

Any ideas for this?

InquiringTech · ‎08-10-2023

I actually figured it out using these simple commands

Extended IP access list est_tcp
10 permit tcp any any established
20 permit icmp any any echo-reply

and then putting that on int vlan 20 in

View solution in original post

Flavio Miranda · ‎08-08-2023

Hi @InquiringTech

I would try something simples like

ip acccess-list extended Lab

deny ip any 172.16.20.0 0.0.0.255

permit ip an any

interfaca vlan 25, 26, 29, 30 (do it for every vlan )

ip access-group Lab in

InquiringTech · ‎08-10-2023

I actually figured it out using these simple commands

Extended IP access list est_tcp
10 permit tcp any any established
20 permit icmp any any echo-reply

and then putting that on int vlan 20 in

Joseph W. Doherty · ‎08-10-2023

Correct because "establish" is a TCP protocol option, and ping is ICMP.

Possibly, if your device supports, the next "level" of ACL to ("better") support your requirement, might be, Cisco's Reflexive ACL.

InquiringTech · ‎08-16-2023

By the way, would you know how to make that 172.16.20.0 VLAN 20 network able to get an address via DHCP from a server in the 10.1.26.0 subnet, given this access list? I set up a dhcp relay and moved the dhcp server to 10.1.26.5 rather than using the built in switch dhcp that has worked thus far (basically to make it easier to manage).

I added a '30 permit udp 172.16.20.0 0.0.0.255 10.1.26.0 0.0.0.255 eq 67 68' (also one for the other way around), but now even internet access is blocked for VLAN 20, whereas it wasn't before. The only deny is the implicit deny at the end of the ACL. Also, when I just use the built-in DHCP server on the Catalyst switch itself, it doesn't have this problem.

I added an 'ip helper-address 10.1.26.5' line. But it only works when I take that ACL down entirely. Not sure why it's still blocking it.

Joseph W. Doherty · ‎08-16-2023

A helper "repackages" the DHCP request. Off-the-top-of-my-head I don't recall all the details. You might search for that info or try logging on an explicit, and last, ACE denying all.