LAN Routing
1748154 Members
3625 Online
108758 Solutions
New Discussion юеВ

Re: Allowing external established connections to VLAN

 
Alex16
Visitor

Allowing external established connections to VLAN

Hello,

I am configuring an HP 1920 switch and want to achive this:
Devices in VLAN 20 have only access to IP network of VLAN interface 20 (192.168.20.0) and to IP network of VLAN 1 (192.,168.1.0). Devices in other networks (e.g. 192.168.10.0) should be able to establish connections in VLAN 20.

So far I achieved everything except the established connections from other networks.

This is the ACL been used:

Advanced ACL 3500, named -none-, 4 rules,
ACL's step is 5
rule 0 permit tcp established source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 6 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 10 deny ip

Attached to the test port in this way:

Interface: GigabitEthernet1/0/13
In-bound Policy:
acl 3500, Successful

From a device attached to port 13 using IP 192.168.20.109 I can't ping 192.168.10.x, I can ping 192.168.20.x. This what I wanted. But I am not able to ping from another device (192.168.10.167) connected at port 11 to 192.168.20.109 although access in this direction should work as of rule 0.  There is no packet-filter or QOS policy used at port 11.. As soon as I remove the packet filter from port 13 I can ping to 192.168.20.109 from 192.168.10.167. So there must be something wrong with the ACL 3500.

I hope someone here can help me figuring out the right settings.

Regards,
Alex

4 REPLIES 4
Vince-Whirlwind
Honored Contributor

Re: Allowing external established connections to VLAN

Your ACL Denys traffic from 192.168.20.0 to 192.168.10.0, so of course you can't get a ping response back.

Alex16
Visitor

Re: Allowing external established connections to VLAN

For my understanding rule 0 allows traffic from 192.168.20.0 back to 192.168.10.0 for connctions initiated from 192.168.10.0 because of the tcp established statement.

Just to be sure it is clear what I want to achieve:

Devices in VLAN 20 have only access to IP network of VLAN interface 20 (192.168.20.0) and to IP network of VLAN 1 (192.,168.1.0). Devices in other networks (e.g. 192.168.10.0 VLAN 10) should be able to establish connections to VLAN 20.

Do you know how to achieve this?

 

16again
Respected Contributor

Re: Allowing external established connections to VLAN

The L3 switch is not a statefull firewall. 
Established only works for TCP, but this doesn't check session state in the device, but simply matches a bit in TCP packet.

For allowing one-way ping , you might get away using echo-reply and echo-request in FW rules

Vince-Whirlwind
Honored Contributor

Re: Allowing external established connections to VLAN

I've actually had to do something like that before - they wanted ICMP blocked, but I pointed out that RFC1191 requires ICMP Type3, Code4 messages to be passed and blocking them made them non-compliant with the RFC (turns their routers into black hole routers for large packets with DNF bit set to 1).

I don't know if you can use an ACL to define different rules for different types of ICMP messages...?

All in all, ACLs aren't really the way to deal with this kind of thing. Authenticating users onto the network and setting permissions on hosts is the way to do this.