02-16-2024 12:44 PM - edited 02-16-2024 12:48 PM
Hi, I'm running into a weird issue after upgrading from a Brocade ICX6450 to a Ruckus ICX7150.
I have the following ACL that I transferred from the 6450:
ip access-list extended no_internal_access
permit tcp any any established
permit tcp any host 10.20.1.20 eq http
permit tcp any host 10.20.1.20 eq ssl
permit tcp any host 10.20.1.50 eq dns
permit tcp any host 10.20.1.60 eq dns
permit udp any host 10.20.1.50 eq dns
permit udp any host 10.20.1.60 eq dns
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.100.0 0.0.0.255
permit ip any any
I have this ACL applied to a guest VLAN, 98. On the 6450, the ACL is applied "in" on VE98 and everything works as expected. I installed the ACL onto the 7150, and applied the ACL "in" on VLAN 98, since that is how it is now done. However, on the 7150, HTTP and even RDP works to hosts in the 10.0.0.0/8 range in many cases. The ACL is doing something, since ICMP does not work. I tried a simple ACL with just an allow established rule and the deny ip rules, and it seems to be the established rule type that is causing the problem. Removing it solves the problem.
Is this an expected behavior, or is there something I am missing on the 7150 that would make this not work as it does on the 6450? It is running 08.0.95m. Thanks in advance!
02-23-2024 09:27 AM
Hi suddenwolf,
Apologies for the delay in reverting, was checking on the ACL, as the placement of the rule post permitting allowed connections should have worked : else the last bit we could give a try with is below [ if not already tried ]
ip access-list extended no_internal_access
permit tcp any host 10.20.1.20 eq http
permit tcp any host 10.20.1.20 eq ssl
permit tcp any host 10.20.1.50 eq dns
permit tcp any host 10.20.1.60 eq dns
permit udp any host 10.20.1.50 eq dns
permit udp any host 10.20.1.60 eq dns
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.100.0 0.0.0.255
permit tcp any any established
permit ip any any
and have the ACL called as "out" : applying itself on the traffic moving out of the vlan
here based on the placement : only the above permitted connections should go though and post that with deny in between : that should work as needed.
if same behavior is seen, then this would need to be checked further if its related to the operation of that statement with "any any" clause in it.
Would suggest you to raise a ticket with the below link so that we can help you further over that. .
https://support.ruckuswireless.com/contact-us
let us know your thoughts on the same.
03-09-2024 09:10 AM - edited 03-14-2024 12:07 PM
Well moving the permit tcp any any established below the deny ip any 10.0.0.0 0.255.255.255 wouldn't allow reply traffic(established tcp) if you wanted to rdp into the guest vlan from another vlan in 10.0.0.0 0.255.255.255.
I'm also seeing similar issues with the established keyword which is allowing any TCP traffic thru which has caused me to re-architect my ACLs. It's possible I don't understand the exact use case for established but I understood it to be similar to a reflexive list. I'm on an ICX 7250-24p with SPR08095m.bin firmware.
***Edit***
Never mind it's working properly in my case, I had a situation where there was asymmetric routing with two gateways on the same subnet so basically the "in" side of the ACLs on the VLANs was seeing traffic leaving and coming back into the VLAN. I was going down the route of adjusting ACLs for this but this was leading to a lot of other unforeseen issues, getting back to symmetrical routing solved all the issues.