5900AF ACLs

dgeronik · ‎01-13-2018

Hello Everyone!

I need to do the following

I have 2 VANs (VLAN 1 and VALAN 2) and I need RDP access bidirectional between 2 specific hosts of those 2 VlANs. VLAN1 is routable VLAN 2 is not

I made the following configiration:

interface Vlan-interface1
ip address 192.168.2.250 255.255.255.0
packet-filter 3001 inbound

acl number 3001

rule 10 permit tcp source 192.168.1.50 0 destination 192.168.2.50 0 destination-port eq 3389
rule 50 deny ip any

With this configuration i have RDP access from 192.168.1..50 but not the oposite

sdide · ‎01-15-2018

Hi,

the reverse will not work because you have only allowed destination port 3389, and when your client/server roles are reversed, the destination will be a different port, typically a random port (you can read more about how ports should be assigned in RFC 6335 https://tools.ietf.org/html/rfc6335) . The switch ACL is just looking at each single packet, it does not keep track of established connections.

In your case, when the destination port is not 3389 (which a random port should never be) inbound on vlan 1, the packet (the answer from the server) will be blocked. (see drawings)

You don't have any nice solutions to this. But,

1: you could allow all ports. This would make it work.

2: Maybe you could force your RDP client to initiate on a specific (not random) port, and then allow that port aswell.

Regards.

Søren Dideriksen, Network Administrator
Region Midtjylland

5900AF ACLs

5900AF ACLs

Re: 5900AF ACLs

Hewlett Packard Enterprise International