Wired Intelligent Edge

Hello,

I have a CX 8325 switch.

I'm trying to write an acl which will allow all clients within my vlan to make tcp connections on the wider internet, ie http requests and ssh to external machines, but at the the same time i want to prevent machines outside of the vlan from initiating tcp connections into the vlan. I'm applying the acl on the vlan inbound .

I see that you specify the established flag when writing rules, but that seems to allow syn packets going into the network too ?

------------------------------
Mark McDonagh
------------------------------

Hi Mark, out of curiosity...with "but at the the same time i want to prevent machines outside of the vlan from initiating tcp connections into the vlan" do you mean just internal hosts located on other VLANs routed by the Aruba 8325 (since Internet incoming connections should be preliminarily filtered out by a border Firewall) or do you really mean all other possible existing hosts (networks) excluded those hosted into the relevant VLAN you want to protect?

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Sep 02, 2021 12:14 PM
From: Mark McDonagh
Subject: ACLs on CX 8325 allowing tcp connections which originated from within a vlan, but prevent inbound tcp connections

Hello,

I have a CX 8325 switch.

I'm trying to write an acl which will allow all clients within my vlan to make tcp connections on the wider internet, ie http requests and ssh to external machines, but at the the same time i want to prevent machines outside of the vlan from initiating tcp connections into the vlan. I'm applying the acl on the vlan inbound .

I see that you specify the established flag when writing rules, but that seems to allow syn packets going into the network too ?

------------------------------
Mark McDonagh
------------------------------

yes  internal hosts located on other VLANs routed by the Aruba 8325 should not be able to initiate tcp connections into the vlan. I have figured out that if i use the following syntax on the vlan ingress

permit tcp any 10.1.1.0/255.255.255.0 established

it will allow tcp connections back into the vlan if they have been started by hosts within the vlan, but hosts on other vlans won't be able to initiate tcp connections into the vlan

------------------------------
Mark McDonagh
------------------------------

Original Message:
Sent: Sep 04, 2021 08:34 AM
From: Davide Poletto
Subject: ACLs on CX 8325 allowing tcp connections which originated from within a vlan, but prevent inbound tcp connections

Hi Mark, out of curiosity...with "but at the the same time i want to prevent machines outside of the vlan from initiating tcp connections into the vlan" do you mean just internal hosts located on other VLANs routed by the Aruba 8325 (since Internet incoming connections should be preliminarily filtered out by a border Firewall) or do you really mean all other possible existing hosts (networks) excluded those hosted into the relevant VLAN you want to protect?

------------------------------
Davide Poletto

Original Message:
Sent: Sep 02, 2021 12:14 PM
From: Mark McDonagh
Subject: ACLs on CX 8325 allowing tcp connections which originated from within a vlan, but prevent inbound tcp connections

Hello,

I have a CX 8325 switch.

I'm trying to write an acl which will allow all clients within my vlan to make tcp connections on the wider internet, ie http requests and ssh to external machines, but at the the same time i want to prevent machines outside of the vlan from initiating tcp connections into the vlan. I'm applying the acl on the vlan inbound .

I see that you specify the established flag when writing rules, but that seems to allow syn packets going into the network too ?

------------------------------
Mark McDonagh
------------------------------