ACL and IP forwarding between VLANs

  • 0
  • 1
  • Question
  • Updated 5 years ago
Create Date: Jun 20 2012 5:48AM

Hi,

On a Black Diamond (aka Aspen) 8810 (with EXOS 12.1) , I have a VLAN (let's call it "isolated") that i would like isolated from all other VLANs except for a few specific hosts. Only for those hosts belonging to other VLANs the traffic should be routed.

My first idea is to enable ipforwarding for this VLAN "isolated" (ipforwarding is already enabled for all other VLANs) and configure ACLs on this VLAN that permit packets to and from the few specific authorized hosts, and a default ACL that matches everything else and denies all packets.

But this won't work since on this model ACL are only possible for ingress traffic, so it will drop all traffic from any VLAN to VLAN "isolated", but it won't drop traffic from VLAN "isolated" to other VLANs. I don't like it from the security point of view.

Is there a way to do that? I'm far from being a network expert, but isn't it a very common need?

Thanks in advance

Matthieu

(from matthieu_imbert)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jun 20 2012 7:54AM

Hey Matthieu

I think the thing that is missing is that the ACLs in XOS are not stateful ACLs like you have in a router. If you need to restrict traffic in both directions then you need ACLs from/to all VLANs.

For example subnet 1 is 1.1.1.0/24 and subnet 2 is 2.2.2.0/24. If I have an ACL that sees source of 1.1.1.1 going to 2.2.2.1 and I deny it that does not mean 2.2.2.1 can't send a packet back to 1.1.1.1. What it will do is stop the connection because any ack packets from 1.1.1.1 to set up the connection will be blocked so you should not see any IP connections being built but that does mean that 2.2.2.1 can't send DoS packets or something.

If you need to restrict all packets then you would need a second ACL entry denying 2.2.2.1 talking to 1.1.1.1

Hope that makes sense

P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jun 20 2012 8:25AM



(from matthieu_imbert)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jun 20 2012 8:32AM

Hi Prusso, thanks for your answer, it makes sense.

I came to the same conclusion: i need to create as many ACL as there are networks.

I hoped that there could be another way, because I have a lot of networks. Also the network addressing scheme will evolve in the future, some networks can be added or modified, and I or other admins will always have to remember to update the ACLs accordingly, which is a recipe for security holes.

i tried to imagine a way with two ACL configured for all ports, which would drop all packets with source or destination in the isolated vlan, but this would require being able to negate a match in the ACL syntax, something like:

entry block-to-isolated {
if {
source-address 2.2.2.0/24;
destination-address NOT 2.2.2.0/24;
} then {
deny;
}
}
entry block-from-isolated {
if {
destination-address 2.2.2.0/24;
source-address NOT 2.2.2.0/24;
} then {
deny;
}
}


indeed it seems i'm stuck with the "as many ACL as networks" solution (i don't say "as many ACL as vlans" because i have more networks than vlans)

Matthieu

(from matthieu_imbert)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jun 22 2012 12:11AM

Would it be possible to tackle this problem in a different way: instead of using ACLs to isolate the VLAN, could I explicitely remove the routes automatically added when I enable ipforwarding on this VLAN, and then re-enable only the few routes to the specific hosts which are authorized to talk to the VLAN?

What do you think?

Matthieu

(from matthieu_imbert)

This conversation is no longer open for comments or replies.