Help with ACLs on Ruckus ICX7150

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
T

tzaman

New Member
Jun 5, 2020
2
0
1
Hey, much like many around here, I decided to swap my Unifi gear for Ruckus, and now I'm trying to learn some more advanced stuff (at least for my level), so please bear with me.

I have two VLANs defined on the switch, the default (VLAN 1), which my core infrastructure is connected to, such as switches and servers and then there's VLAN 5, which is where IOT devices and wifi clients are. Now I'm trying to set up some basic ACLs in order to stop devices on VLAN 5 to talk to devices on VLAN 1 (and each other unless specifically permitted).

VLAN 1 network is 10.0.0.0/24
VLAN 5 network is 10.0.5.0/24

Here's the relevant part of the config:
Code: 
ver 08.0.95gT213
!
stack unit 1
  module 1 icx7150-24p-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-4-sfp-plus-port-40g-module
!
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
!
vlan 5 name IOT by port
tagged ethe 1/3/4
router-interface ve 5
ip access-group iot4 in
!
!
!
!
!
interface ethernet 1/3/4
port-name NAS
no optical-monitor
!
interface ve 1
ip address 10.0.0.6 255.255.255.0
ip bootp-gateway 10.0.0.6
ip helper-address 1 10.0.0.8
!
interface ve 5
port-name IOT
ip address 10.0.5.6 255.255.255.0
ip helper-address 1 10.0.0.8
!
ip access-list extended iot4
enable accounting
sequence 10 permit tcp any any established
sequence 20 permit udp any host 10.0.0.8 eq bootps
sequence 30 permit udp any host 10.0.0.8 eq bootpc
sequence 40 permit udp any host 10.0.0.8 eq dns
sequence 50 permit tcp any host 10.0.0.8 eq dns
sequence 60 permit tcp any host 10.0.0.12 eq 32400
sequence 70 deny ip 10.0.5.0 0.0.0.255 10.0.0.0 0.0.255.255 log
sequence 80 permit ip any any
!
!
!
end
Problem: On my NAS, I have a virtual machine with IP 10.0.5.45, which is on VLAN 5, but that machine can access a physical machine that's on VLAN 1 with IP 10.0.0.9, like SSH or curl, or anything that's open on 10.0.0.9. I was under the impression that my ACL should prevent that with the sequence 70 part of the ACL?

Any pointers would be more than welcome, I've been bashing my head against this for the past couple of days.

Thanks!
 
T

tzaman

New Member
Jun 5, 2020
2
0
1
It seems I have found the problem, so I'll just answer myself here in case someone finds this thread in the future with a similar problem.

With my ACL, I turned accounting on so after checking the accounting table I saw that most traffic went through the first rule (permit tcp any any established). So after removing that rule, the one in sequence 70 started to take effect to a much bigger degree.

Now I just have to figure out why I could ssh from 10.0.5.45 to 10.0.0.9 when the communication wasn't established (or it was but my limited skillset is unable to grasp why or how). But that's a problem for another day :)
 
Last edited:
You must log in or register to reply here.
Top Bottom