https://community.ruckuswireless.com/t5/ICX-Switches/Inbound-ACL/m-p/94266#M6718 <P>* addresses are anonymized *<BR />* I have 2 issues<BR />1. ACL was working in test environment but not in production even though everything is the same<BR />2. Understanding how inbound traffic is processed on a virtual interface<BR />* int ve 150 is the public facing interface, that is the only interface with an ACL applied to it. I am not filtering any outbound traffic.<BR />* fc00:fc00:fc00:16::/64 is the internal network<BR />* fc00:f390:0:2002::c6/126 is the public network connected to the ISP</P><P>1. I am trying to set up an acl to filter inbound ipv6 traffic on our public facing interfaces on our router. I want to structure it as default deny and allow specific protocols, ports, and addresses. In a test environment, I was able to get this working, but in production it is not working at all. Which is quite strange. I will post my configuration below. The test and production is using the exact same model switch and running the same router code.</P><P>// the ipv6 acl that is applied inbound<BR />ipv6 access-list in-v6<BR />remark ping<BR />permit icmp any any<BR />remark dns<BR />permit udp any any eq dns<BR />permit tcp any any eq dns<BR />remark http<BR />permit tcp any any eq http<BR />remark https<BR />permit tcp any any eq ssl<BR />remark ssh<BR />permit tcp any any eq ssh sequence 60<BR />remark "allow internal tcp connections"<BR />permit tcp fc00:fc00:fc00::/44 any established sequence 70<BR />remark-entry sequence 75 "allow all other traffic to this_vlan"<BR />permit ipv6 any fc00:fc00:fc00:16::/64 sequence 75<BR />permit ipv6 fc00:fc00:fc00:16::/64 any sequence 76<BR />remark deny all other traffic<BR />deny ipv6 any any</P><P>// public facing interface<BR />interface ve 150<BR />port-name ISP-BGP<BR />ip address 192.168.1.250/29<BR />ip access-group ipv4-acl in<BR />ip access-group ipv4-acl out<BR />ip mtu 9000<BR />ipv6 address fc00:f390:0:2002::c6/126<BR />ipv6 enable<BR />ipv6 traffic-filter in-v6 in<BR />!</P><P>2. There is something I may be misunderstanding about inbound traffic. Let me give an example of what I noticed. In the ACL above, in-v6, I have a rule for ssh traffic to permit tcp from any source to any destination on port 22. When testing, this allows public hosts to ssh into internal hosts, but it is not allowing internal hosts to ssh into public hosts. Unless I add another rule saying "permit tcp any eq 22 any" compared to "permit tcp any any eq". Can someone explain this?</P><P>Hopefully this makes sense. Thanks for any and all insight.</P> Thu, 01 Aug 2024 16:19:23 GMT kransom 2024-08-01T16:19:23Z https://community.ruckuswireless.com/t5/ICX-Switches/Inbound-ACL/m-p/94266#M6718 <P>* addresses are anonymized *<BR />* I have 2 issues<BR />1. ACL was working in test environment but not in production even though everything is the same<BR />2. Understanding how inbound traffic is processed on a virtual interface<BR />* int ve 150 is the public facing interface, that is the only interface with an ACL applied to it. I am not filtering any outbound traffic.<BR />* fc00:fc00:fc00:16::/64 is the internal network<BR />* fc00:f390:0:2002::c6/126 is the public network connected to the ISP</P><P>1. I am trying to set up an acl to filter inbound ipv6 traffic on our public facing interfaces on our router. I want to structure it as default deny and allow specific protocols, ports, and addresses. In a test environment, I was able to get this working, but in production it is not working at all. Which is quite strange. I will post my configuration below. The test and production is using the exact same model switch and running the same router code.</P><P>// the ipv6 acl that is applied inbound<BR />ipv6 access-list in-v6<BR />remark ping<BR />permit icmp any any<BR />remark dns<BR />permit udp any any eq dns<BR />permit tcp any any eq dns<BR />remark http<BR />permit tcp any any eq http<BR />remark https<BR />permit tcp any any eq ssl<BR />remark ssh<BR />permit tcp any any eq ssh sequence 60<BR />remark "allow internal tcp connections"<BR />permit tcp fc00:fc00:fc00::/44 any established sequence 70<BR />remark-entry sequence 75 "allow all other traffic to this_vlan"<BR />permit ipv6 any fc00:fc00:fc00:16::/64 sequence 75<BR />permit ipv6 fc00:fc00:fc00:16::/64 any sequence 76<BR />remark deny all other traffic<BR />deny ipv6 any any</P><P>// public facing interface<BR />interface ve 150<BR />port-name ISP-BGP<BR />ip address 192.168.1.250/29<BR />ip access-group ipv4-acl in<BR />ip access-group ipv4-acl out<BR />ip mtu 9000<BR />ipv6 address fc00:f390:0:2002::c6/126<BR />ipv6 enable<BR />ipv6 traffic-filter in-v6 in<BR />!</P><P>2. There is something I may be misunderstanding about inbound traffic. Let me give an example of what I noticed. In the ACL above, in-v6, I have a rule for ssh traffic to permit tcp from any source to any destination on port 22. When testing, this allows public hosts to ssh into internal hosts, but it is not allowing internal hosts to ssh into public hosts. Unless I add another rule saying "permit tcp any eq 22 any" compared to "permit tcp any any eq". Can someone explain this?</P><P>Hopefully this makes sense. Thanks for any and all insight.</P> Thu, 01 Aug 2024 16:19:23 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Inbound-ACL/m-p/94266#M6718 kransom 2024-08-01T16:19:23Z https://community.ruckuswireless.com/t5/ICX-Switches/Inbound-ACL/m-p/94614#M6730 <P>Hi Kransom</P><P>Thank you for reaching us&nbsp;</P><P><STRONG>Below is an explanation of the differences between the two commands:</STRONG></P><P><SPAN><STRONG>Command:</STRONG><FONT face="courier new,courier" size="2"> "permit tcp any eq 22 any"</FONT></SPAN></P><P><SPAN>This rule allows any internal source to initiate an SSH connection to any external destination on port 22.</SPAN></P><P><STRONG>Example from switch CLI:</STRONG></P><P><SPAN><FONT face="courier new,courier" size="2">ICX8200-24P Router(config-ipv6acl-in-v6)#permit tcp any eq 22 <FONT color="#008000">?</FONT></FONT><BR /><FONT face="courier new,courier" size="2" color="#008000">any Any destination host</FONT><BR /><FONT face="courier new,courier" size="2">X:X::X:X/M IPv6 destination prefix</FONT><BR /><FONT face="courier new,courier" size="2">host A single destination host</FONT><BR /></SPAN></P><P><SPAN><STRONG>Command :</STRONG> <FONT face="courier new,courier" size="2">"permit tcp any any eq"</FONT></SPAN></P><P><SPAN>This rule allows any external source to initiate an SSH connection to any internal destination. For internal hosts to initiate SSH connections to external hosts, you need a rule that permits outbound traffic.</SPAN></P><P><STRONG>Example from switch CLI:</STRONG></P><P><SPAN><FONT face="courier new,courier" size="2">ICX8200-24P Router(config-ipv6acl-in-v6)#permit tcp any<FONT color="#008000"> ?</FONT></FONT><BR /><FONT face="courier new,courier" size="2" color="#008000">any Any source host</FONT><BR /></SPAN></P><P><SPAN>You can also note the difference when you use <FONT face="courier new,courier" size="2" color="#008000">"?" </FONT>following the commands and checking the descriptions.</SPAN></P><P><SPAN>Thanks&nbsp;</SPAN></P> Wed, 07 Aug 2024 12:17:11 GMT https://community.ruckuswireless.com/t5/ICX-Switches/Inbound-ACL/m-p/94614#M6730 Chandini 2024-08-07T12:17:11Z