08-01-2024 09:19 AM
* addresses are anonymized *
* I have 2 issues
1. ACL was working in test environment but not in production even though everything is the same
2. Understanding how inbound traffic is processed on a virtual interface
* int ve 150 is the public facing interface, that is the only interface with an ACL applied to it. I am not filtering any outbound traffic.
* fc00:fc00:fc00:16::/64 is the internal network
* fc00:f390:0:2002::c6/126 is the public network connected to the ISP
1. I am trying to set up an acl to filter inbound ipv6 traffic on our public facing interfaces on our router. I want to structure it as default deny and allow specific protocols, ports, and addresses. In a test environment, I was able to get this working, but in production it is not working at all. Which is quite strange. I will post my configuration below. The test and production is using the exact same model switch and running the same router code.
// the ipv6 acl that is applied inbound
ipv6 access-list in-v6
remark ping
permit icmp any any
remark dns
permit udp any any eq dns
permit tcp any any eq dns
remark http
permit tcp any any eq http
remark https
permit tcp any any eq ssl
remark ssh
permit tcp any any eq ssh sequence 60
remark "allow internal tcp connections"
permit tcp fc00:fc00:fc00::/44 any established sequence 70
remark-entry sequence 75 "allow all other traffic to this_vlan"
permit ipv6 any fc00:fc00:fc00:16::/64 sequence 75
permit ipv6 fc00:fc00:fc00:16::/64 any sequence 76
remark deny all other traffic
deny ipv6 any any
// public facing interface
interface ve 150
port-name ISP-BGP
ip address 192.168.1.250/29
ip access-group ipv4-acl in
ip access-group ipv4-acl out
ip mtu 9000
ipv6 address fc00:f390:0:2002::c6/126
ipv6 enable
ipv6 traffic-filter in-v6 in
!
2. There is something I may be misunderstanding about inbound traffic. Let me give an example of what I noticed. In the ACL above, in-v6, I have a rule for ssh traffic to permit tcp from any source to any destination on port 22. When testing, this allows public hosts to ssh into internal hosts, but it is not allowing internal hosts to ssh into public hosts. Unless I add another rule saying "permit tcp any eq 22 any" compared to "permit tcp any any eq". Can someone explain this?
Hopefully this makes sense. Thanks for any and all insight.
08-07-2024 05:17 AM
Hi Kransom
Thank you for reaching us
Below is an explanation of the differences between the two commands:
Command: "permit tcp any eq 22 any"
This rule allows any internal source to initiate an SSH connection to any external destination on port 22.
Example from switch CLI:
ICX8200-24P Router(config-ipv6acl-in-v6)#permit tcp any eq 22 ?
any Any destination host
X:X::X:X/M IPv6 destination prefix
host A single destination host
Command : "permit tcp any any eq"
This rule allows any external source to initiate an SSH connection to any internal destination. For internal hosts to initiate SSH connections to external hosts, you need a rule that permits outbound traffic.
Example from switch CLI:
ICX8200-24P Router(config-ipv6acl-in-v6)#permit tcp any ?
any Any source host
You can also note the difference when you use "?" following the commands and checking the descriptions.
Thanks