I am trying to optimize the access control list rules on a Cisco SG500X-48 Small Business switch (on Layer 3). The general aim is to regulate the traffic between two VLANs (e.g., 10 and 30) in such a way that VLAN 30 has access to VLAN 10, but only for specific protocols, while VLAN 10 has no access at all to VLAN 30.
Thus far I have configured the switch only for ICMP and HTTP as an initial test, like this:
Extended IP access list VLAN 10 Test 1
permit icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 10 type echo-reply code any
permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 www ace-priority 20
permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 100
and applied this as an ingress ACL to VLAN 10. As a result:
- VLAN 30 can ping VLAN 10
- VLAN 30 can access VLAN 10 on HTTP (but cannot access any other service in VLAN 10)
- VLAN 10 has no access to VLAN 30 whatsoever
So far, so good. However, as I need to configure such ACL entries for multiple protocols on multiple VLANs, I wondered if I couldn´t minimize the required entries by first allowing the requests from VLAN 30 to VLAN 10 from TCP any to any port:
permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 any ace-priority 20
and then permitting the replies from VLAN 10 only for the ports corresponding to the services that I wish to allow to respond to the requests:
permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
permit tcp 192.168.10.0 0.0.0.255 telnet 192.168.30.0 0.0.0.255 any ace-priority 22
permit tcp 192.168.10.0 0.0.0.255 ssh 192.168.30.0 0.0.0.255 any ace-priority 23
…
Unfortunately, this doesn´t seem to work, as when I configured and applied to VLAN 10 the following ACL on the switch:
Extended IP access list VLAN 10 Test 2
permit icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 10 type echo-reply code any
permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 any ace-priority 20
permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 100
VLAN 30 lost access to VLAN 10 on HTTP. On the contrary, and for a reason as of yet inexplicable to me, VLAN 10 suddenly was able to access VLAN 30 on HTTP, which of course shouldn´t happen.
I searched the web for a deeper explanation of how ACL rules work, but was unable to find anything explaining this behaviour. I guess I might be missing something fundamental. Could you please enlighten me?
Thank you in advance for your time.
Thus far I have configured the switch only for ICMP and HTTP as an initial test, like this:
Extended IP access list VLAN 10 Test 1
permit icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 10 type echo-reply code any
permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 www ace-priority 20
permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 100
and applied this as an ingress ACL to VLAN 10. As a result:
- VLAN 30 can ping VLAN 10
- VLAN 30 can access VLAN 10 on HTTP (but cannot access any other service in VLAN 10)
- VLAN 10 has no access to VLAN 30 whatsoever
So far, so good. However, as I need to configure such ACL entries for multiple protocols on multiple VLANs, I wondered if I couldn´t minimize the required entries by first allowing the requests from VLAN 30 to VLAN 10 from TCP any to any port:
permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 any ace-priority 20
and then permitting the replies from VLAN 10 only for the ports corresponding to the services that I wish to allow to respond to the requests:
permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
permit tcp 192.168.10.0 0.0.0.255 telnet 192.168.30.0 0.0.0.255 any ace-priority 22
permit tcp 192.168.10.0 0.0.0.255 ssh 192.168.30.0 0.0.0.255 any ace-priority 23
…
Unfortunately, this doesn´t seem to work, as when I configured and applied to VLAN 10 the following ACL on the switch:
Extended IP access list VLAN 10 Test 2
permit icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 10 type echo-reply code any
permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 any ace-priority 20
permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 100
VLAN 30 lost access to VLAN 10 on HTTP. On the contrary, and for a reason as of yet inexplicable to me, VLAN 10 suddenly was able to access VLAN 30 on HTTP, which of course shouldn´t happen.
I searched the web for a deeper explanation of how ACL rules work, but was unable to find anything explaining this behaviour. I guess I might be missing something fundamental. Could you please enlighten me?
Thank you in advance for your time.