This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Inbound ACL

kransom
New Contributor

‎08-01-2024 09:19 AM

* addresses are anonymized *
* I have 2 issues
1. ACL was working in test environment but not in production even though everything is the same
2. Understanding how inbound traffic is processed on a virtual interface
* int ve 150 is the public facing interface, that is the only interface with an ACL applied to it. I am not filtering any outbound traffic.
* fc00:fc00:fc00:16::/64 is the internal network
* fc00:f390:0:2002::c6/126 is the public network connected to the ISP

1. I am trying to set up an acl to filter inbound ipv6 traffic on our public facing interfaces on our router. I want to structure it as default deny and allow specific protocols, ports, and addresses. In a test environment, I was able to get this working, but in production it is not working at all. Which is quite strange. I will post my configuration below. The test and production is using the exact same model switch and running the same router code.

// the ipv6 acl that is applied inbound
ipv6 access-list in-v6
remark ping
permit icmp any any
remark dns
permit udp any any eq dns
permit tcp any any eq dns
remark http
permit tcp any any eq http
remark https
permit tcp any any eq ssl
remark ssh
permit tcp any any eq ssh sequence 60
remark "allow internal tcp connections"
permit tcp fc00:fc00:fc00::/44 any established sequence 70
remark-entry sequence 75 "allow all other traffic to this_vlan"
permit ipv6 any fc00:fc00:fc00:16::/64 sequence 75
permit ipv6 fc00:fc00:fc00:16::/64 any sequence 76
remark deny all other traffic
deny ipv6 any any

// public facing interface
interface ve 150
port-name ISP-BGP
ip address 192.168.1.250/29
ip access-group ipv4-acl in
ip access-group ipv4-acl out
ip mtu 9000
ipv6 address fc00:f390:0:2002::c6/126
ipv6 enable
ipv6 traffic-filter in-v6 in
!

2. There is something I may be misunderstanding about inbound traffic. Let me give an example of what I noticed. In the ACL above, in-v6, I have a rule for ssh traffic to permit tcp from any source to any destination on port 22. When testing, this allows public hosts to ssh into internal hosts, but it is not allowing internal hosts to ssh into public hosts. Unless I add another rule saying "permit tcp any eq 22 any" compared to "permit tcp any any eq". Can someone explain this?

Hopefully this makes sense. Thanks for any and all insight.

0 Kudos
1 REPLY 1

Chandini
RUCKUS Team Member

‎08-07-2024 05:17 AM

Hi Kransom

Thank you for reaching us 

Below is an explanation of the differences between the two commands:

Command: "permit tcp any eq 22 any"

This rule allows any internal source to initiate an SSH connection to any external destination on port 22.

Example from switch CLI:

ICX8200-24P Router(config-ipv6acl-in-v6)#permit tcp any eq 22 ?
any Any destination host
X:X::X:X/M IPv6 destination prefix
host A single destination host

Command : "permit tcp any any eq"

This rule allows any external source to initiate an SSH connection to any internal destination. For internal hosts to initiate SSH connections to external hosts, you need a rule that permits outbound traffic.

Example from switch CLI:

ICX8200-24P Router(config-ipv6acl-in-v6)#permit tcp any ?
any Any source host

You can also note the difference when you use "?" following the commands and checking the descriptions.

Thanks 

Copyright © 2024 Khoros, LLC