topic Re: access-list 'established' not working properly in 09.0.10 in ICX Switches

access-list 'established' not working properly in 09.0.10

kpfleming — Tue, 28 Dec 2021 22:29:40 GMT

Configuration snippets:

vlan 80 name untrusted by port
untagged ethe 3/1/3
ip access-group untrusted in

interface ve 80
ip address 192.168.80.2/24
ip access-list extended untrusted
enable accounting

sequence 10 permit tcp any 192.168.0.0/16 established
sequence 20 permit icmp any any
sequence 30 permit udp any host 192.168.255.2 eq dns
sequence 40 permit tcp any host 192.168.255.2 eq dns
sequence 50 permit udp any host 192.168.255.1 eq ntp
sequence 60 permit tcp any host 192.168.64.113 eq ssl
sequence 70 deny tcp any 192.168.0.0/16
sequence 80 deny udp any 192.168.0.0/16

sequence 90 permit tcp any any
sequence 100 permit udp any any

System attached to 3/1/3 has IP address 192.168.68.200/24, with its gateway set to 192.168.80.2.

With the above access-list that system is able to open TCP connections to 192.168.1.1, even though the initial SYN packet should not count as 'established'. If I remove the sequence 10 filter from the access-list, the system is no longer able to open such connections.

Re: access-list 'established' not working properly in 09.0.10

hashim_bharooc1 — Tue, 28 Dec 2021 23:07:11 GMT

Hi Kevin,

Hope you are doing Great.

sequence 10 should not allow sync and sequence 70 will block everything.

Can you please go with 809k code?

This will need to be lab tested and fixed in the code.

Here is the link to the target poath

https://docs.commscope.com/bundle/ruckus-fi-target-path/page/GUID-7574F40A-91F5-4E4A-8C54-76E33C7D07B3.html

Hope this helps.

Sorry for the inconvenience.

Thanks

Best Regards

Hashim

Thanks

Best Regards

Hashim

Re: access-list 'established' not working properly in 09.0.10

kpfleming — Tue, 28 Dec 2021 23:41:20 GMT

Thanks for the quick response! Unfortunately I'm not able to use the 08 firmware, and I experienced very unusual problems with IPv6 routing with that firmware and the 09 firmware does not have those problems... and I don't have a lab environment in which to test alternative firmware versions 🙂

I believe I'll be able to work around this problem though by using a 'mirror' filter in the access-list in the VLAN where the connections originate (which land in VLAN 80). I'll experiment with that.

Re: access-list 'established' not working properly in 09.0.10

kpfleming — Wed, 29 Dec 2021 13:19:10 GMT

Ahh, ignore that, I misunderstood what 'mirror' does in access-list filters. I thought it was related to reflexive filters, but it's not.

Re: access-list 'established' not working properly in 09.0.10

vu_pham_ghtztqm — Wed, 29 Dec 2021 16:03:52 GMT

Hi Kevin - We did some tests in the lab and found a workaround for this issue. It seems like a bug in this area, and we need to investigate further. For sequence 10, please use /24 instead of /16. Keep sequence 70/80 with /16 for now.

Also, we need to clarify this statement from your initial post: "System attached to 3/1/3 has IP address 192.168.68.200/24, with its gateway set to 192.168.80.2." We would assume you meant 192.168.80.200/24 for the host?

Please see the workaround below.

config t

ip access-list extended untrusted

no sequence 10

sequence 10 permit tcp any 192.168.80.0/24 established

Please try this and let us know if it helped.

Thank you,

Vu Pham

Principal Technical Support Engineer

Shift hours: 08:00-17:00 US Central (Mon-Fri)

CommScope

https://www.commscope.com/

Re: access-list 'established' not working properly in 09.0.10

kpfleming — Wed, 29 Dec 2021 18:23:29 GMT

Yes, that's correct, that was a typo in the original post.

The goal here is to allow hosts on VLANs 88 and 89 to make connections to hosts on VLAN 80, but not allow the reverse. Because of that your proposed solution won't work, but I'll experiment with some other options and report back here.

Also, if someone could DM me about getting a support contract in place I'd appreciate that... I used the 'contact us' form some time ago to inquire about it but never got any response.

Re: access-list 'established' not working properly in 09.0.10

kpfleming — Wed, 29 Dec 2021 18:35:38 GMT

I tried using 'permit tcp 192.168.80.0/24 any established' to limit the source instead of the destination, but that didn't work... host 192.168.80.200 was stable to initiate TCP connections to hosts outside of VLAN 80.

I've got a workaround for this so I'm not blocked on it. Thanks for the help so far.

Re: access-list 'established' not working properly in 09.0.10

hashim_bharooc1 — Wed, 29 Dec 2021 18:41:39 GMT

Hi Kevin,

Can you please email me your location and email and phone number to my email address: hashim.bharoocha@commscope.com I will have support team reach out to you.

Also you can try this link:

https://www.commscope.com/resources/how-to-buy/public-sector-procurement-contracts/

Thanks

Best Regards

Hashim