Wired Intelligent Edge

Hi,

I'm having some issues with access-lists. (Testing for capabilities)
I have the following setup in a lab (real hardware)

Lab scenario (to use in production eventually)

8230 VSX Cluster 10.09 and few vlans, nothing fancy.

vlan100 10.6.6.0/24 client vlan
vlan200 10.5.5.0/24 server vlan
vlan300 10.7.7.0/24 client vlan

I wan to restrict traffic to the servers in vlan 200 for only certain devices/ip subnets.
Server on vlan 200 can have all outbound traffic.

I have the following access-list.

# sh access-list ip commands
access-list ip 200-out
10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count
20 permit icmp 10.6.6.0/255.255.255.0 any count
30 permit icmp 10.7.7.222 any count
interface vlan200
apply access-list ip 200-out routed-out

ACL works for traffic from client vlans to server vlan, but outbound(from server to other vlans) traffic is using same access-list as it appears, traffic not in ACL is not working. So i cannot reach clients in vlan 300 (for example), except with icmp (which is in acl).

Tried also both directions (routed-in routed-out), on a vlan(vacl) and on a port(pacl), all the same. So i must be missing something / i don't fully understand how access list work on CX :). Can find it in any documentation.
So could anyone explain it to me / have any suggestions on how to best solve this scenario.

Thanks very much.

------------------------------
Bob van de Merwe
------------------------------

Hello Bob,

You may use the approach where you allow everything and just disable the traffic inbound from the servers and the other devices.

Hope this helps!

------------------------------
-Alex-
------------------------------

Original Message:
Sent: May 27, 2022 04:28 AM
From: Bob van de Merwe
Subject: Access list issues on 8320

Hi,

I'm having some issues with access-lists. (Testing for capabilities)
I have the following setup in a lab (real hardware)

Lab scenario (to use in production eventually)

8230 VSX Cluster 10.09 and few vlans, nothing fancy.

vlan100 10.6.6.0/24 client vlan
vlan200 10.5.5.0/24 server vlan
vlan300 10.7.7.0/24 client vlan

I wan to restrict traffic to the servers in vlan 200 for only certain devices/ip subnets.
Server on vlan 200 can have all outbound traffic.

I have the following access-list.

# sh access-list ip commands
access-list ip 200-out
10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count
20 permit icmp 10.6.6.0/255.255.255.0 any count
30 permit icmp 10.7.7.222 any count
interface vlan200
apply access-list ip 200-out routed-out

ACL works for traffic from client vlans to server vlan, but outbound(from server to other vlans) traffic is using same access-list as it appears, traffic not in ACL is not working. So i cannot reach clients in vlan 300 (for example), except with icmp (which is in acl).

Tried also both directions (routed-in routed-out), on a vlan(vacl) and on a port(pacl), all the same. So i must be missing something / i don't fully understand how access list work on CX :). Can find it in any documentation.
So could anyone explain it to me / have any suggestions on how to best solve this scenario.

Thanks very much.

------------------------------
Bob van de Merwe
------------------------------

Hi Bob,

access-list ip 200-out
10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count
20 permit icmp 10.6.6.0/255.255.255.0 any count
30 permit icmp 10.7.7.222 any count​

is applied on the interface vlan200 in the outbound direction (e.g. from any other network to the servers inside the VLAN200). There is no inbound acl on the interface (direction 'VLAN200-->all others') and at first glance it seems everything should be allowed, but in fact we have a problem here.

When any of your servers initiates an outbound connection to a host in another network, it expects an answer from that distant host, right? And that answer will inevitably hit the '200-out' ACL on its path to the server in VLAN200:

Example:
Server: 10.5.5.50/24
Host: 10.7.7.100/24

- Server sends TCP SYN to the Host. Packet will look like 'IP.Src=10.5.5.20;IP.dst=10.7.7.100'.
- Packet arrives on the 'interface vlan200'. There is no 'routed-in' ACL applied, so the packet is allowed
- If 'interface vlan300' doesn't have any ACL 'routed-out', the packet is being sent to the host.
- Host replies with 'TCP SYN/ACK'. Packet will look like 'IP.Src=10.7.7.100;IP.dst=10.5.5.20'.
- Packet arrives on the 'interface vlan300'. If there is no 'routed-in' ACL applied, the packet is allowed
- 'interface vlan200' needs to send the packet to the Server, but there is the '200-out' ACL applied in that direction. Since that ACL doesn't permit packets with source 10.7.7.0/24 and destination 10.6.6.0/24, the packet gets dropped by the implicit 'deny any any' rule.

And ICMP works, because it is allowed by the rule 20.

Hope this explanation will help you to properly plan the ACL scheme.


------------------------------
Ivan Bondar
------------------------------

Original Message:
Sent: May 27, 2022 04:28 AM
From: Bob van de Merwe
Subject: Access list issues on 8320

Hi,

I'm having some issues with access-lists. (Testing for capabilities)
I have the following setup in a lab (real hardware)

Lab scenario (to use in production eventually)

8230 VSX Cluster 10.09 and few vlans, nothing fancy.

vlan100 10.6.6.0/24 client vlan
vlan200 10.5.5.0/24 server vlan
vlan300 10.7.7.0/24 client vlan

I wan to restrict traffic to the servers in vlan 200 for only certain devices/ip subnets.
Server on vlan 200 can have all outbound traffic.

I have the following access-list.

# sh access-list ip commands
access-list ip 200-out
10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count
20 permit icmp 10.6.6.0/255.255.255.0 any count
30 permit icmp 10.7.7.222 any count
interface vlan200
apply access-list ip 200-out routed-out

ACL works for traffic from client vlans to server vlan, but outbound(from server to other vlans) traffic is using same access-list as it appears, traffic not in ACL is not working. So i cannot reach clients in vlan 300 (for example), except with icmp (which is in acl).

Tried also both directions (routed-in routed-out), on a vlan(vacl) and on a port(pacl), all the same. So i must be missing something / i don't fully understand how access list work on CX :). Can find it in any documentation.
So could anyone explain it to me / have any suggestions on how to best solve this scenario.

Thanks very much.

------------------------------
Bob van de Merwe
------------------------------

Hi Ivan, shouldn't the OP review his/her ACL approach to work on the inbound direction on each VLAN instead?

I mean, instead of building an ACL to be applied on the outbound direction (where here the outbound term should be read as "arriving from outbound to the VLAN SVI where the ACL is applied in outbound" or as "incoming into the VLAN from external sources"), shouldn't the OP build an ACL to be applied on the inbound direction (where here the inbound term should be read as "arriving from the inbound to the VLAN SVI where the ACL is applied in inbound" or as "outgoing to any other external VLAN coming from the internal sources")?

That way the OP would work on each VLAN and decide which traffic is permitted and which one is denied (considering then an explicit final permit any any and the implicit final hidden deny any any rules) and he/she could do that on one VLAN or on any VLAN (so checking the traffic in both directions but relying on each VLAN ACL to decide what is the traffic will leave the VLAN for an outbound direction and what is not).

For sure - in any case - the in-/out-bound direction used to define how the ACL is applied AND the way the ACL is build are closely tied.

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: May 31, 2022 08:51 AM
From: Ivan ivan.bondar@hpe.com
Subject: Access list issues on 8320

Hi Bob,

access-list ip 200-out10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count20 permit icmp 10.6.6.0/255.255.255.0 any count30 permit icmp 10.7.7.222 any count​

is applied on the interface vlan200 in the outbound direction (e.g. from any other network to the servers inside the VLAN200). There is no inbound acl on the interface (direction 'VLAN200-->all others') and at first glance it seems everything should be allowed, but in fact we have a problem here.

When any of your servers initiates an outbound connection to a host in another network, it expects an answer from that distant host, right? And that answer will inevitably hit the '200-out' ACL on its path to the server in VLAN200:

Example:
Server: 10.5.5.50/24
Host: 10.7.7.100/24

- Server sends TCP SYN to the Host. Packet will look like 'IP.Src=10.5.5.20;IP.dst=10.7.7.100'.
- Packet arrives on the 'interface vlan200'. There is no 'routed-in' ACL applied, so the packet is allowed
- If 'interface vlan300' doesn't have any ACL 'routed-out', the packet is being sent to the host.
- Host replies with 'TCP SYN/ACK'. Packet will look like 'IP.Src=10.7.7.100;IP.dst=10.5.5.20'.
- Packet arrives on the 'interface vlan300'. If there is no 'routed-in' ACL applied, the packet is allowed
- 'interface vlan200' needs to send the packet to the Server, but there is the '200-out' ACL applied in that direction. Since that ACL doesn't permit packets with source 10.7.7.0/24 and destination 10.6.6.0/24, the packet gets dropped by the implicit 'deny any any' rule.

And ICMP works, because it is allowed by the rule 20.

Hope this explanation will help you to properly plan the ACL scheme.


------------------------------
Ivan Bondar

Original Message:
Sent: May 27, 2022 04:28 AM
From: Bob van de Merwe
Subject: Access list issues on 8320

Hi,

I'm having some issues with access-lists. (Testing for capabilities)
I have the following setup in a lab (real hardware)

Lab scenario (to use in production eventually)

8230 VSX Cluster 10.09 and few vlans, nothing fancy.

vlan100 10.6.6.0/24 client vlan
vlan200 10.5.5.0/24 server vlan
vlan300 10.7.7.0/24 client vlan

I wan to restrict traffic to the servers in vlan 200 for only certain devices/ip subnets.
Server on vlan 200 can have all outbound traffic.

I have the following access-list.

# sh access-list ip commands
access-list ip 200-out
10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count
20 permit icmp 10.6.6.0/255.255.255.0 any count
30 permit icmp 10.7.7.222 any count
interface vlan200
apply access-list ip 200-out routed-out

ACL works for traffic from client vlans to server vlan, but outbound(from server to other vlans) traffic is using same access-list as it appears, traffic not in ACL is not working. So i cannot reach clients in vlan 300 (for example), except with icmp (which is in acl).

Tried also both directions (routed-in routed-out), on a vlan(vacl) and on a port(pacl), all the same. So i must be missing something / i don't fully understand how access list work on CX :). Can find it in any documentation.
So could anyone explain it to me / have any suggestions on how to best solve this scenario.

Thanks very much.

------------------------------
Bob van de Merwe
------------------------------

Hi Davide,

The main idea of my message was to explain why this is happening without going into details what and how to improve. Déformation professionnelle... Too many years spent in Support 😆
Nevertheless your proposition totally makes sense and I fully support it. I would also stick to the 'inbound' approach as it is always better to filter the traffic as close to the source as possible. At the end of the day there is no reason to route a packet through the whole infrastructure just to drop it on the last hop 😉

------------------------------
Ivan Bondar
------------------------------

Original Message:
Sent: May 31, 2022 01:25 PM
From: Davide Poletto
Subject: Access list issues on 8320

Hi Ivan, shouldn't the OP review his/her ACL approach to work on the inbound direction on each VLAN instead?

I mean, instead of building an ACL to be applied on the outbound direction (where here the outbound term should be read as "arriving from outbound to the VLAN SVI where the ACL is applied in outbound" or as "incoming into the VLAN from external sources"), shouldn't the OP build an ACL to be applied on the inbound direction (where here the inbound term should be read as "arriving from the inbound to the VLAN SVI where the ACL is applied in inbound" or as "outgoing to any other external VLAN coming from the internal sources")?

That way the OP would work on each VLAN and decide which traffic is permitted and which one is denied (considering then an explicit final permit any any and the implicit final hidden deny any any rules) and he/she could do that on one VLAN or on any VLAN (so checking the traffic in both directions but relying on each VLAN ACL to decide what is the traffic will leave the VLAN for an outbound direction and what is not).

For sure - in any case - the in-/out-bound direction used to define how the ACL is applied AND the way the ACL is build are closely tied.

------------------------------
Davide Poletto

Original Message:
Sent: May 31, 2022 08:51 AM
From: Ivan ivan.bondar@hpe.com
Subject: Access list issues on 8320

Hi Bob,

access-list ip 200-out10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count20 permit icmp 10.6.6.0/255.255.255.0 any count30 permit icmp 10.7.7.222 any count​

is applied on the interface vlan200 in the outbound direction (e.g. from any other network to the servers inside the VLAN200). There is no inbound acl on the interface (direction 'VLAN200-->all others') and at first glance it seems everything should be allowed, but in fact we have a problem here.

When any of your servers initiates an outbound connection to a host in another network, it expects an answer from that distant host, right? And that answer will inevitably hit the '200-out' ACL on its path to the server in VLAN200:

Example:
Server: 10.5.5.50/24
Host: 10.7.7.100/24

- Server sends TCP SYN to the Host. Packet will look like 'IP.Src=10.5.5.20;IP.dst=10.7.7.100'.
- Packet arrives on the 'interface vlan200'. There is no 'routed-in' ACL applied, so the packet is allowed
- If 'interface vlan300' doesn't have any ACL 'routed-out', the packet is being sent to the host.
- Host replies with 'TCP SYN/ACK'. Packet will look like 'IP.Src=10.7.7.100;IP.dst=10.5.5.20'.
- Packet arrives on the 'interface vlan300'. If there is no 'routed-in' ACL applied, the packet is allowed
- 'interface vlan200' needs to send the packet to the Server, but there is the '200-out' ACL applied in that direction. Since that ACL doesn't permit packets with source 10.7.7.0/24 and destination 10.6.6.0/24, the packet gets dropped by the implicit 'deny any any' rule.

And ICMP works, because it is allowed by the rule 20.

Hope this explanation will help you to properly plan the ACL scheme.


------------------------------
Ivan Bondar

Original Message:
Sent: May 27, 2022 04:28 AM
From: Bob van de Merwe
Subject: Access list issues on 8320

Hi,

I'm having some issues with access-lists. (Testing for capabilities)
I have the following setup in a lab (real hardware)

Lab scenario (to use in production eventually)

8230 VSX Cluster 10.09 and few vlans, nothing fancy.

vlan100 10.6.6.0/24 client vlan
vlan200 10.5.5.0/24 server vlan
vlan300 10.7.7.0/24 client vlan

I wan to restrict traffic to the servers in vlan 200 for only certain devices/ip subnets.
Server on vlan 200 can have all outbound traffic.

I have the following access-list.

# sh access-list ip commands
access-list ip 200-out
10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count
20 permit icmp 10.6.6.0/255.255.255.0 any count
30 permit icmp 10.7.7.222 any count
interface vlan200
apply access-list ip 200-out routed-out

ACL works for traffic from client vlans to server vlan, but outbound(from server to other vlans) traffic is using same access-list as it appears, traffic not in ACL is not working. So i cannot reach clients in vlan 300 (for example), except with icmp (which is in acl).

Tried also both directions (routed-in routed-out), on a vlan(vacl) and on a port(pacl), all the same. So i must be missing something / i don't fully understand how access list work on CX :). Can find it in any documentation.
So could anyone explain it to me / have any suggestions on how to best solve this scenario.

Thanks very much.

------------------------------
Bob van de Merwe
------------------------------

Hi Guys,

Thanks for your insights.
I'm more used to statefull firewalls instead of stateless switches, haha.

The inbound direction acl seems the most logical indeed.
I'm going to try it out.

Thanks,
Bob

------------------------------
Bob van de Merwe
------------------------------

Original Message:
Sent: May 31, 2022 01:39 PM
From: Ivan ivan.bondar@hpe.com
Subject: Access list issues on 8320

Hi Davide,

The main idea of my message was to explain why this is happening without going into details what and how to improve. Déformation professionnelle... Too many years spent in Support 😆
Nevertheless your proposition totally makes sense and I fully support it. I would also stick to the 'inbound' approach as it is always better to filter the traffic as close to the source as possible. At the end of the day there is no reason to route a packet through the whole infrastructure just to drop it on the last hop 😉

------------------------------
Ivan Bondar

Original Message:
Sent: May 31, 2022 01:25 PM
From: Davide Poletto
Subject: Access list issues on 8320

Hi Ivan, shouldn't the OP review his/her ACL approach to work on the inbound direction on each VLAN instead?

I mean, instead of building an ACL to be applied on the outbound direction (where here the outbound term should be read as "arriving from outbound to the VLAN SVI where the ACL is applied in outbound" or as "incoming into the VLAN from external sources"), shouldn't the OP build an ACL to be applied on the inbound direction (where here the inbound term should be read as "arriving from the inbound to the VLAN SVI where the ACL is applied in inbound" or as "outgoing to any other external VLAN coming from the internal sources")?

That way the OP would work on each VLAN and decide which traffic is permitted and which one is denied (considering then an explicit final permit any any and the implicit final hidden deny any any rules) and he/she could do that on one VLAN or on any VLAN (so checking the traffic in both directions but relying on each VLAN ACL to decide what is the traffic will leave the VLAN for an outbound direction and what is not).

For sure - in any case - the in-/out-bound direction used to define how the ACL is applied AND the way the ACL is build are closely tied.

------------------------------
Davide Poletto

Original Message:
Sent: May 31, 2022 08:51 AM
From: Ivan ivan.bondar@hpe.com
Subject: Access list issues on 8320

Hi Bob,

access-list ip 200-out10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count20 permit icmp 10.6.6.0/255.255.255.0 any count30 permit icmp 10.7.7.222 any count​

is applied on the interface vlan200 in the outbound direction (e.g. from any other network to the servers inside the VLAN200). There is no inbound acl on the interface (direction 'VLAN200-->all others') and at first glance it seems everything should be allowed, but in fact we have a problem here.

When any of your servers initiates an outbound connection to a host in another network, it expects an answer from that distant host, right? And that answer will inevitably hit the '200-out' ACL on its path to the server in VLAN200:

Example:
Server: 10.5.5.50/24
Host: 10.7.7.100/24

- Server sends TCP SYN to the Host. Packet will look like 'IP.Src=10.5.5.20;IP.dst=10.7.7.100'.
- Packet arrives on the 'interface vlan200'. There is no 'routed-in' ACL applied, so the packet is allowed
- If 'interface vlan300' doesn't have any ACL 'routed-out', the packet is being sent to the host.
- Host replies with 'TCP SYN/ACK'. Packet will look like 'IP.Src=10.7.7.100;IP.dst=10.5.5.20'.
- Packet arrives on the 'interface vlan300'. If there is no 'routed-in' ACL applied, the packet is allowed
- 'interface vlan200' needs to send the packet to the Server, but there is the '200-out' ACL applied in that direction. Since that ACL doesn't permit packets with source 10.7.7.0/24 and destination 10.6.6.0/24, the packet gets dropped by the implicit 'deny any any' rule.

And ICMP works, because it is allowed by the rule 20.

Hope this explanation will help you to properly plan the ACL scheme.


------------------------------
Ivan Bondar

Original Message:
Sent: May 27, 2022 04:28 AM
From: Bob van de Merwe
Subject: Access list issues on 8320

Hi,

I'm having some issues with access-lists. (Testing for capabilities)
I have the following setup in a lab (real hardware)

Lab scenario (to use in production eventually)

8230 VSX Cluster 10.09 and few vlans, nothing fancy.

vlan100 10.6.6.0/24 client vlan
vlan200 10.5.5.0/24 server vlan
vlan300 10.7.7.0/24 client vlan

I wan to restrict traffic to the servers in vlan 200 for only certain devices/ip subnets.
Server on vlan 200 can have all outbound traffic.

I have the following access-list.

# sh access-list ip commands
access-list ip 200-out
10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count
20 permit icmp 10.6.6.0/255.255.255.0 any count
30 permit icmp 10.7.7.222 any count
interface vlan200
apply access-list ip 200-out routed-out

ACL works for traffic from client vlans to server vlan, but outbound(from server to other vlans) traffic is using same access-list as it appears, traffic not in ACL is not working. So i cannot reach clients in vlan 300 (for example), except with icmp (which is in acl).

Tried also both directions (routed-in routed-out), on a vlan(vacl) and on a port(pacl), all the same. So i must be missing something / i don't fully understand how access list work on CX :). Can find it in any documentation.
So could anyone explain it to me / have any suggestions on how to best solve this scenario.

Thanks very much.

------------------------------
Bob van de Merwe
------------------------------

Bob, if I only knew you have experience with firewalls, my post would contain just one single sentence - "Because ACLs in AOS-CX are not stateful" 🙂 But most people without such background would be only even more confused by such answer.

BTW, while AOS-CX doesn't have stateful firewall, its ACL rules can check packets for 'Established' TCP flag. 


------------------------------
Ivan Bondar
------------------------------

Original Message:
Sent: May 31, 2022 02:26 PM
From: Bob van de Merwe
Subject: Access list issues on 8320

Hi Guys,

Thanks for your insights.
I'm more used to statefull firewalls instead of stateless switches, haha.

The inbound direction acl seems the most logical indeed.
I'm going to try it out.

Thanks,
Bob

------------------------------
Bob van de Merwe

Original Message:
Sent: May 31, 2022 01:39 PM
From: Ivan ivan.bondar@hpe.com
Subject: Access list issues on 8320

Hi Davide,

The main idea of my message was to explain why this is happening without going into details what and how to improve. Déformation professionnelle... Too many years spent in Support 😆
Nevertheless your proposition totally makes sense and I fully support it. I would also stick to the 'inbound' approach as it is always better to filter the traffic as close to the source as possible. At the end of the day there is no reason to route a packet through the whole infrastructure just to drop it on the last hop 😉

------------------------------
Ivan Bondar

Original Message:
Sent: May 31, 2022 01:25 PM
From: Davide Poletto
Subject: Access list issues on 8320

Hi Ivan, shouldn't the OP review his/her ACL approach to work on the inbound direction on each VLAN instead?

I mean, instead of building an ACL to be applied on the outbound direction (where here the outbound term should be read as "arriving from outbound to the VLAN SVI where the ACL is applied in outbound" or as "incoming into the VLAN from external sources"), shouldn't the OP build an ACL to be applied on the inbound direction (where here the inbound term should be read as "arriving from the inbound to the VLAN SVI where the ACL is applied in inbound" or as "outgoing to any other external VLAN coming from the internal sources")?

That way the OP would work on each VLAN and decide which traffic is permitted and which one is denied (considering then an explicit final permit any any and the implicit final hidden deny any any rules) and he/she could do that on one VLAN or on any VLAN (so checking the traffic in both directions but relying on each VLAN ACL to decide what is the traffic will leave the VLAN for an outbound direction and what is not).

For sure - in any case - the in-/out-bound direction used to define how the ACL is applied AND the way the ACL is build are closely tied.

------------------------------
Davide Poletto

Original Message:
Sent: May 31, 2022 08:51 AM
From: Ivan ivan.bondar@hpe.com
Subject: Access list issues on 8320

Hi Bob,

access-list ip 200-out10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count20 permit icmp 10.6.6.0/255.255.255.0 any count30 permit icmp 10.7.7.222 any count​

is applied on the interface vlan200 in the outbound direction (e.g. from any other network to the servers inside the VLAN200). There is no inbound acl on the interface (direction 'VLAN200-->all others') and at first glance it seems everything should be allowed, but in fact we have a problem here.

When any of your servers initiates an outbound connection to a host in another network, it expects an answer from that distant host, right? And that answer will inevitably hit the '200-out' ACL on its path to the server in VLAN200:

Example:
Server: 10.5.5.50/24
Host: 10.7.7.100/24

- Server sends TCP SYN to the Host. Packet will look like 'IP.Src=10.5.5.20;IP.dst=10.7.7.100'.
- Packet arrives on the 'interface vlan200'. There is no 'routed-in' ACL applied, so the packet is allowed
- If 'interface vlan300' doesn't have any ACL 'routed-out', the packet is being sent to the host.
- Host replies with 'TCP SYN/ACK'. Packet will look like 'IP.Src=10.7.7.100;IP.dst=10.5.5.20'.
- Packet arrives on the 'interface vlan300'. If there is no 'routed-in' ACL applied, the packet is allowed
- 'interface vlan200' needs to send the packet to the Server, but there is the '200-out' ACL applied in that direction. Since that ACL doesn't permit packets with source 10.7.7.0/24 and destination 10.6.6.0/24, the packet gets dropped by the implicit 'deny any any' rule.

And ICMP works, because it is allowed by the rule 20.

Hope this explanation will help you to properly plan the ACL scheme.


------------------------------
Ivan Bondar

Original Message:
Sent: May 27, 2022 04:28 AM
From: Bob van de Merwe
Subject: Access list issues on 8320

Hi,

I'm having some issues with access-lists. (Testing for capabilities)
I have the following setup in a lab (real hardware)

Lab scenario (to use in production eventually)

8230 VSX Cluster 10.09 and few vlans, nothing fancy.

vlan100 10.6.6.0/24 client vlan
vlan200 10.5.5.0/24 server vlan
vlan300 10.7.7.0/24 client vlan

I wan to restrict traffic to the servers in vlan 200 for only certain devices/ip subnets.
Server on vlan 200 can have all outbound traffic.

I have the following access-list.

# sh access-list ip commands
access-list ip 200-out
10 permit tcp 10.6.6.0/255.255.255.0 any eq rdp count
20 permit icmp 10.6.6.0/255.255.255.0 any count
30 permit icmp 10.7.7.222 any count
interface vlan200
apply access-list ip 200-out routed-out

ACL works for traffic from client vlans to server vlan, but outbound(from server to other vlans) traffic is using same access-list as it appears, traffic not in ACL is not working. So i cannot reach clients in vlan 300 (for example), except with icmp (which is in acl).

Tried also both directions (routed-in routed-out), on a vlan(vacl) and on a port(pacl), all the same. So i must be missing something / i don't fully understand how access list work on CX :). Can find it in any documentation.
So could anyone explain it to me / have any suggestions on how to best solve this scenario.

Thanks very much.

------------------------------
Bob van de Merwe
------------------------------