Wired Intelligent Edge

last person joined: 9 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

ACLs on CX 8325 allowing tcp connections which originated from within a vlan, but prevent inbound tcp connections

This thread has been viewed 11 times
  • 1.  ACLs on CX 8325 allowing tcp connections which originated from within a vlan, but prevent inbound tcp connections

    Posted 22 days ago
    Hello,

    I have a CX 8325 switch.

    I'm trying to write an acl which will allow all clients within my vlan to make tcp connections on the wider internet, ie http requests and ssh to external machines, but at the the same time i want to prevent machines outside of the vlan from initiating tcp connections into the vlan. I'm applying the acl on the vlan inbound .

    I see that you specify the established flag when writing rules, but that seems to allow syn packets going into the network too ?

    ------------------------------
    Mark McDonagh
    ------------------------------


  • 2.  RE: ACLs on CX 8325 allowing tcp connections which originated from within a vlan, but prevent inbound tcp connections

    Posted 21 days ago
    Hi Mark, out of curiosity...with "but at the the same time i want to prevent machines outside of the vlan from initiating tcp connections into the vlan" do you mean just internal hosts located on other VLANs routed by the Aruba 8325 (since Internet incoming connections should be preliminarily filtered out by a border Firewall) or do you really mean all other possible existing hosts (networks) excluded those hosted into the relevant VLAN you want to protect?

    ------------------------------
    Davide Poletto
    ------------------------------



  • 3.  RE: ACLs on CX 8325 allowing tcp connections which originated from within a vlan, but prevent inbound tcp connections

    Posted 17 days ago
    yes  internal hosts located on other VLANs routed by the Aruba 8325 should not be able to initiate tcp connections into the vlan. I have figured out that if i use the following syntax on the vlan ingress

    permit tcp any 10.1.1.0/255.255.255.0 established

    it will allow tcp connections back into the vlan if they have been started by hosts within the vlan, but hosts on other vlans won't be able to initiate tcp connections into the vlan


    ------------------------------
    Mark McDonagh
    ------------------------------