Wired Intelligent Edge

Hello,

I have some troubles to implement extended ACL between VLAN. I would like to control the traffic and so only permit allowed traffic.

I am starting from a simple configuration with 2 VLAN :

• VLAN 10 : 192.168.10.0/24
• VLAN 20 : 192.168.20.0/24

I would like :

• all members of VLAN 10 to access to host 192.168.20.21 on port 22
• all members of VLAN 20 to access to host 192.168.10.11 on port 80

First of all, I have created two access-list :

ip access-list extended "vlan10-in"
  10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.21 0.0.0.0 eq 22
ip access-list extended "vlan20-in"
  10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.11 0.0.0.0 eq 80

Then I've applied the first access-list to the VLAN 10 :

vlan 10
  name "vlan10"
  untagged 1
  ip access-group "vlan10-in" in
  ip address 192.168.10.1 255.255.255.0

At this step it works, I can access 192.168.20.21 on port 22 but not on any other port

Then, I've done the same thing for VLAN 20 :

vlan 20
  name "vlan20"
  untagged 2
  ip access-group "vlan20-in" in
  ip address 192.168.20.1 255.255.255.0

And then, nothing works...

I suppose that I does'nt work because of the implicit deny on each access-list which block each other.

I tried to add two new access-list and to modify vlan to only filter on inbound packet :

ip access-list extended "vlan10-out"
  10 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
ip access-list extended "vlan20-out"
  10 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

vlan 10
  name "vlan10"
  untagged 1
  ip access-group "vlan10-in" in
  ip access-group "vlan10-out" out
  ip address 192.168.10.1 255.255.255.0

vlan 20
  name "vlan20"
  untagged 2
  ip access-group "vlan20-in" in
  ip access-group "vlan20-out" out
  ip address 192.168.20.1 255.255.255.0

But it does'nt work better...

If someone have some ideas it would be great !

Thank you very much,

Thierry.

Hello everyone,

Is this the right community board for this kind of issue ?

Regards,

Thierry

The problem is, for communicaton, you need packets to go both ways. You will need a matching rule in the opposite direction for each permit.

This is off the top of my head:

ip access-list extended "vlan10-in"
  10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.21 0.0.0.0 eq 22
  20 permit tcp 192.168.10.11 0.0.0.0 eq 80 192.168.20.0 0.0.0.255 established
ip access-list extended "vlan20-in"
  10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.11 0.0.0.0 eq 80
  20 permit tcp 192.168.20.21 0.0.0.0 eq 22 192.168.10.0 0.0.0.255 established

You may have issues if whatever is serving web pages on port 80 hands the response off to another socket and doesn't send replies all from port 80. In that case, you'd have to loosen the restriction, and remove the "eq 80" from the reciprocal (established) line I added.

Hi PJM,

Sadly, it's what I thought... I have hundred of rules to implement, this will not be maintainable...

Thank you very much for your reply.

Thierry.

Hi Thierry,

Thank you for writing your query.

I agree with PJM it becomes an issue as traffic is to sent to and from.

Creating rules in both direction and matching them is recommended and standard practise so that we ACL can work as expected.

Please write back for any further queries regarding the same we would be happy to assist with .

Thanks,

Hi,

Thank you again for your answer.

As I told before, I have a very large number of ACL to implement (hundreds from VLAN1 to VLAN2 and the same in the other way) and if we need to add the return traffic, I think it will be to hard to maintain.

In other HPE devices, is there a way to automaticaly allow returned packets ?

Regards,
Thierry.

The problem is, for communicaton, you need packets to go both ways. You will need a matching rule in the opposite direction for each permit.

Are you sure about that requirement?