topic Ingress ACL Block traffic to Private networks and Enable establish from Private Network in ExtremeSwitching (EXOS/Switch Engine) https://community.extremenetworks.com/t5/extremeswitching-exos-switch/ingress-acl-block-traffic-to-private-networks-and-enable/m-p/93962#M21668 <P>Hi Guys</P><P>I am managing and testing an EXOS x435;</P><P>Setup:</P><P>Ingress ACL to VLAN8 to block all private traffic:</P><P>source VLAN8 destination All Private networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16</P><P>Apply rule to VLAN8 in Ingress (only), everything works.</P><P>but</P><P>I need to enable establish traffic from private networks to VLAN8.</P><P>I tried to set TCP-flags ACK and SYN_ACK but nothing, It doesn't work</P><P>Any suggestions?</P><P>THIS is the policy:</P><P>/*entry vlan8{<BR />if {<BR />source-address 10.5.207.192/27;<BR />destination-address 10.5.207.192/27;<BR />}<BR />then<BR />{<BR />permit;<BR />}<BR />}<BR />entry responsePrivate1{<BR />if match all{<BR />destination-address 10.0.0.0/8;<BR />protocol TCP;<BR />TCP-flags ACK;<BR />}<BR />then<BR />{<BR />permit;<BR />}<BR />}<BR />entry responsePrivate2{<BR />if match all{<BR />destination-address 10.0.0.0/8;<BR />protocol TCP;<BR />TCP-flags SYN_ACK;<BR />}<BR />then<BR />{<BR />permit;<BR />}<BR />}<BR />entry rete10 {<BR />if {<BR />source-address 10.5.207.192/27;<BR />destination-address 10.0.0.0/8;<BR />}<BR />then<BR />{<BR />deny;<BR />}<BR />}<BR />entry rete172 {<BR />if {<BR />source-address 10.5.207.192/24;<BR />destination-address 172.16.0.0/12;<BR />}<BR />then<BR />{<BR />deny;<BR />}<BR />}<BR />entry rete192 {<BR />if {<BR />source-address 10.5.207.192/27;<BR />destination-address 192.168.0.0/16;<BR />}<BR />then<BR />{<BR />deny;<BR />}<BR />}<BR />entry resto {<BR />if {<BR />source-address 10.5.207.192/27;<BR />}<BR />then<BR />{<BR />permit;<BR />}<BR />} */</P><P>Marco</P> Wed, 30 Nov 2022 15:36:23 GMT marconet_22 2022-11-30T15:36:23Z Ingress ACL Block traffic to Private networks and Enable establish from Private Network https://community.extremenetworks.com/t5/extremeswitching-exos-switch/ingress-acl-block-traffic-to-private-networks-and-enable/m-p/93962#M21668 <P>Hi Guys</P><P>I am managing and testing an EXOS x435;</P><P>Setup:</P><P>Ingress ACL to VLAN8 to block all private traffic:</P><P>source VLAN8 destination All Private networks 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16</P><P>Apply rule to VLAN8 in Ingress (only), everything works.</P><P>but</P><P>I need to enable establish traffic from private networks to VLAN8.</P><P>I tried to set TCP-flags ACK and SYN_ACK but nothing, It doesn't work</P><P>Any suggestions?</P><P>THIS is the policy:</P><P>/*entry vlan8{<BR />if {<BR />source-address 10.5.207.192/27;<BR />destination-address 10.5.207.192/27;<BR />}<BR />then<BR />{<BR />permit;<BR />}<BR />}<BR />entry responsePrivate1{<BR />if match all{<BR />destination-address 10.0.0.0/8;<BR />protocol TCP;<BR />TCP-flags ACK;<BR />}<BR />then<BR />{<BR />permit;<BR />}<BR />}<BR />entry responsePrivate2{<BR />if match all{<BR />destination-address 10.0.0.0/8;<BR />protocol TCP;<BR />TCP-flags SYN_ACK;<BR />}<BR />then<BR />{<BR />permit;<BR />}<BR />}<BR />entry rete10 {<BR />if {<BR />source-address 10.5.207.192/27;<BR />destination-address 10.0.0.0/8;<BR />}<BR />then<BR />{<BR />deny;<BR />}<BR />}<BR />entry rete172 {<BR />if {<BR />source-address 10.5.207.192/24;<BR />destination-address 172.16.0.0/12;<BR />}<BR />then<BR />{<BR />deny;<BR />}<BR />}<BR />entry rete192 {<BR />if {<BR />source-address 10.5.207.192/27;<BR />destination-address 192.168.0.0/16;<BR />}<BR />then<BR />{<BR />deny;<BR />}<BR />}<BR />entry resto {<BR />if {<BR />source-address 10.5.207.192/27;<BR />}<BR />then<BR />{<BR />permit;<BR />}<BR />} */</P><P>Marco</P> Wed, 30 Nov 2022 15:36:23 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/ingress-acl-block-traffic-to-private-networks-and-enable/m-p/93962#M21668 marconet_22 2022-11-30T15:36:23Z