Solved: C9k: ACL block traffic only on way?

pgi · ‎03-22-2021

Hi!

I want to block UDP (best of all) traffic from vlan220 to vlan100, and allow udp traffic from vlan100 to vlan220.

Is there something new in the new IOS-XE? TCP works fine. But unfortunately, certain services using UDP are unavailable.

Thanks! PGI

Joseph W. Doherty · ‎03-22-2021

It's a bit unusual for most services, even using UDP, that don't need two way communication. I.e. blocking all UDP in one direction will generally "break" such services.

On the other hand, allowing responses to traffic started on one side, but not the other, is, often, a useful security measure. For such services, often some kind of "stateful" filter is needed.

Such stateful filtering is, on Cisco platforms, often supported by firewall like features or using reflexive ACLs; I don't know if either of these are supported on your C9k.

Without a stateful filter, you might still have an ACL with ACEs that permit very specific UDP traffic, for example, traffic that's directed to specific IPs and/or ports.

BTW, for TCP traffic, a "simple" ACE that permits TCP packets with the established option might be used for "response" packets.

View solution in original post

balaji.bandi · ‎03-22-2021

Can you give us example for us to undertand - what was the old version code you referring

here is reference :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-12/configuration_guide/sec/b_1612_sec_9500_cg/configuring_ipv4_acls.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pgi · ‎03-22-2021

This is the config for the TCP & ICMP-Traffic:

ip access-list extended Inbound-VLAN100
10 permit tcp 192.168.100.0 0.0.0.255 any ack
11 permit icmp 192.168.100.0 0.0.0.255 any echo-reply
90 deny ip any 192.168.0.0 0.0.255.255
100 permit ip any any

Joseph W. Doherty · ‎03-22-2021

ACE #11, is a good example of my mention of a specific UDP ACE using an IP and/or port.

ACE #10 is a bit interesting as it's using just the ACK bit. What the established option does, it also checks the RST bit. That said, don't believe you would see a packet with just the RST set, i.e. without the ACK set too, so, not allowing for RST too might be unnecessary and checking just the ACK might be a tiny bit faster. That said, seeing something like:

10 permit tcp 192.168.100.0 0.0.0.255 any established

might be a bit clearer to the purpose of the ACE.

Joseph W. Doherty · ‎03-22-2021

It's a bit unusual for most services, even using UDP, that don't need two way communication. I.e. blocking all UDP in one direction will generally "break" such services.

On the other hand, allowing responses to traffic started on one side, but not the other, is, often, a useful security measure. For such services, often some kind of "stateful" filter is needed.

Such stateful filtering is, on Cisco platforms, often supported by firewall like features or using reflexive ACLs; I don't know if either of these are supported on your C9k.

Without a stateful filter, you might still have an ACL with ACEs that permit very specific UDP traffic, for example, traffic that's directed to specific IPs and/or ports.

BTW, for TCP traffic, a "simple" ACE that permits TCP packets with the established option might be used for "response" packets.