03-22-2021 03:50 AM
Hi!
I want to block UDP (best of all) traffic from vlan220 to vlan100, and allow udp traffic from vlan100 to vlan220.
Is there something new in the new IOS-XE? TCP works fine. But unfortunately, certain services using UDP are unavailable.
Thanks! PGI
Solved! Go to Solution.
03-22-2021 09:30 AM - edited 03-22-2021 10:06 AM
It's a bit unusual for most services, even using UDP, that don't need two way communication. I.e. blocking all UDP in one direction will generally "break" such services.
On the other hand, allowing responses to traffic started on one side, but not the other, is, often, a useful security measure. For such services, often some kind of "stateful" filter is needed.
Such stateful filtering is, on Cisco platforms, often supported by firewall like features or using reflexive ACLs; I don't know if either of these are supported on your C9k.
Without a stateful filter, you might still have an ACL with ACEs that permit very specific UDP traffic, for example, traffic that's directed to specific IPs and/or ports.
BTW, for TCP traffic, a "simple" ACE that permits TCP packets with the established option might be used for "response" packets.
03-22-2021 09:10 AM
Can you give us example for us to undertand - what was the old version code you referring
here is reference :
03-22-2021 09:38 AM
This is the config for the TCP & ICMP-Traffic:
ip access-list extended Inbound-VLAN100 10 permit tcp 192.168.100.0 0.0.0.255 any ack 11 permit icmp 192.168.100.0 0.0.0.255 any echo-reply 90 deny ip any 192.168.0.0 0.0.255.255 100 permit ip any any
03-22-2021 10:18 AM
ACE #11, is a good example of my mention of a specific UDP ACE using an IP and/or port.
ACE #10 is a bit interesting as it's using just the ACK bit. What the established option does, it also checks the RST bit. That said, don't believe you would see a packet with just the RST set, i.e. without the ACK set too, so, not allowing for RST too might be unnecessary and checking just the ACK might be a tiny bit faster. That said, seeing something like:
10 permit tcp 192.168.100.0 0.0.0.255 any established
might be a bit clearer to the purpose of the ACE.
03-22-2021 09:30 AM - edited 03-22-2021 10:06 AM
It's a bit unusual for most services, even using UDP, that don't need two way communication. I.e. blocking all UDP in one direction will generally "break" such services.
On the other hand, allowing responses to traffic started on one side, but not the other, is, often, a useful security measure. For such services, often some kind of "stateful" filter is needed.
Such stateful filtering is, on Cisco platforms, often supported by firewall like features or using reflexive ACLs; I don't know if either of these are supported on your C9k.
Without a stateful filter, you might still have an ACL with ACEs that permit very specific UDP traffic, for example, traffic that's directed to specific IPs and/or ports.
BTW, for TCP traffic, a "simple" ACE that permits TCP packets with the established option might be used for "response" packets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide