This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

access-list 'established' not working properly in 09.0.10

kpfleming
New Contributor III

‎12-28-2021 02:29 PM

Configuration snippets:

vlan 80 name untrusted by port
 untagged ethe 3/1/3 
 ip access-group untrusted in

interface ve 80
 ip address 192.168.80.2/24
ip access-list extended untrusted
 enable accounting

 sequence 10 permit tcp any 192.168.0.0/16 established
 sequence 20 permit icmp any any 
 sequence 30 permit udp any host 192.168.255.2 eq dns 
 sequence 40 permit tcp any host 192.168.255.2 eq dns 
 sequence 50 permit udp any host 192.168.255.1 eq ntp 
 sequence 60 permit tcp any host 192.168.64.113 eq ssl 
 sequence 70 deny tcp any 192.168.0.0/16 
 sequence 80 deny udp any 192.168.0.0/16 

 sequence 90 permit tcp any any 
 sequence 100 permit udp any any

System attached to 3/1/3 has IP address 192.168.68.200/24, with its gateway set to 192.168.80.2.

With the above access-list that system is able to open TCP connections to 192.168.1.1, even though the initial SYN packet should not count as 'established'. If I remove the sequence 10 filter from the access-list, the system is no longer able to open such connections.

7 REPLIES 7

kpfleming
New Contributor III
In response to vu_pham_ghtztqm

‎12-29-2021 10:23 AM

Yes, that's correct, that was a typo in the original post.

The goal here is to allow hosts on VLANs 88 and 89 to make connections to hosts on VLAN 80, but not allow the reverse. Because of that your proposed solution won't work, but I'll experiment with some other options and report back here.

Also, if someone could DM me about getting a support contract in place I'd appreciate that... I used the 'contact us' form some time ago to inquire about it but never got any response.

0 Kudos

kpfleming
New Contributor III
In response to vu_pham_ghtztqm

‎12-29-2021 10:35 AM

I tried using 'permit tcp 192.168.80.0/24 any established' to limit the source instead of the destination, but that didn't work... host 192.168.80.200 was stable to initiate TCP connections to hosts outside of VLAN 80.

I've got a workaround for this so I'm not blocked on it. Thanks for the help so far.

0 Kudos

hashim_bharooc1
RUCKUS Team Member
In response to vu_pham_ghtztqm

‎12-29-2021 10:41 AM

Hi Kevin,

Can you please email me your location and email and phone number to my email address: hashim.bharoocha@commscope.com  I will have support team reach out to you.

Also you can try this link:

https://www.commscope.com/resources/how-to-buy/public-sector-procurement-contracts/

Thanks

Best Regards

Hashim

0 Kudos
Copyright © 2024 Khoros, LLC