02-16-2024 12:44 PM - edited 02-16-2024 12:48 PM
Hi, I'm running into a weird issue after upgrading from a Brocade ICX6450 to a Ruckus ICX7150.
I have the following ACL that I transferred from the 6450:
ip access-list extended no_internal_access
permit tcp any any established
permit tcp any host 10.20.1.20 eq http
permit tcp any host 10.20.1.20 eq ssl
permit tcp any host 10.20.1.50 eq dns
permit tcp any host 10.20.1.60 eq dns
permit udp any host 10.20.1.50 eq dns
permit udp any host 10.20.1.60 eq dns
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.100.0 0.0.0.255
permit ip any any
I have this ACL applied to a guest VLAN, 98. On the 6450, the ACL is applied "in" on VE98 and everything works as expected. I installed the ACL onto the 7150, and applied the ACL "in" on VLAN 98, since that is how it is now done. However, on the 7150, HTTP and even RDP works to hosts in the 10.0.0.0/8 range in many cases. The ACL is doing something, since ICMP does not work. I tried a simple ACL with just an allow established rule and the deny ip rules, and it seems to be the established rule type that is causing the problem. Removing it solves the problem.
Is this an expected behavior, or is there something I am missing on the 7150 that would make this not work as it does on the 6450? It is running 08.0.95m. Thanks in advance!