Ruckus / Brocade ACL - L3 default behavior

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
Hello,

What is the default behavior of ACL of the L3 router interfaces in Ruckus / Brocade FastIron?
By default, routing between virtual router interfaces is permitted or denied?

I want to use Ruckus L3 switch for inter VLAN routing between two VLAN connected to virtual router interfaces. Nothing complicate. Only give access from some hosts of one network to some specific ports of some hots in the other network. For everything else the traffic between these two networks in both directions must be denied.

ve1 - VLAN 1 - 192.168.1.0/24
ve 10 - VLAN 10 - 192.168.10.0/24

How to create Permit rules I have understood. But do I need additional deny rules?

Code:
ip access-list extended dmz2lan

permit tcp 192.168.10.0/24 host 192.168.1.100 eq 53
permit udp 192.168.10.0/24 host 192.168.1.100 eq 53
permit tcp host 192.168.10.50 host 192.168.1.100 eq ftp

int ve 10
ip access-group dmz2lan in
 

j_h_o

Active Member
Apr 21, 2015
591
144
43
California, US
I believe it's default permitted.

You want these hosts to only have this internal access, but them unlimited internet access, correct? After these entries, I think you want:

Code:
remark block outbound access to all local VLANs
deny ip any 192.168.0.0 0.0.255.255
remark allow internet
permit ip any any
I'm not certain your ftp rule alone is enough -- you should test it.

I wrote up my example here: Layer 3 Switch Guest VLAN ACLs · Justin Ho
 
Last edited:

rocketpanda40

Member
Dec 12, 2019
39
24
8
Default when you have no ACLs assigned to an interface is allow all. As soon as you apply an ACL to an interface, default becomes deny all.

From the Security Configuration Guide:
Default ACL action
The default action when no ACLs are configured on a device is to permit all traffic. However, once you configure an ACL and apply
it to a port, the default action for that port is to deny all traffic that is not explicitly permitted on the port:
• If you want to tightly control access, configure ACLs consisting of permit entries for the access you want to permit. The
ACLs implicitly deny all other access.
• If you want to secure access in environments with many users, you might want to configure ACLs that consist of explicit
deny entries, then add an entry to permit all access to the end of each ACL. The software permits packets that are not
denied by the deny entries.
Take care that you write your rules appropriately whether you're applying the ACL to inbound or outbound traffic.
 
Last edited:

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
You want these hosts to only have this internal access, but them unlimited internet access, correct? After these entries, I think you want:

Code:
remark block outbound access to all local VLANs
deny ip any 192.168.0.0 0.0.255.255
remark allow internet
permit ip any any
Thank you for help and thank you for the link to your sample. I will study it to get a better understanding.

My configuration the actual plan is mores simple. Beside L2 switching the L3 switch only will route between two VLAN to get benefit of the 10 Gbit links. The rest and internet access are handled by the firewall that connected as second router to the same VLAN (see below). For this reason, I only need to take care to control access between the two VLAN routed by the Ruckus as well the access to the Ruckus itself.

But please correct me if there is something wrong in my logic. I am home user and I want to increase my knowledge to use it in my home network.

 

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
Default when you have no ACLs assigned to an interface is allow all. As soon as you apply an ACL to an interface, default becomes deny all.
Thank you. This answers my question.
Before asking in this thread, I tested and I was confused. This now explains the behaviour I observed but could not explain by myself.

Take care that you write your rules appropriately whether you're applying the ACL to inbound or outbound traffic.
This is one open gap I have. So far, in OPNsense firewall I only applied rules to inbound but never to outbound. Here I am not yet sure if I can transfer this philosophy.
 

rocketpanda40

Member
Dec 12, 2019
39
24
8
Thank you. This answers my question.
Before asking in this thread, I tested and I was confused. This now explains the behaviour I observed but could not explain by myself.



This is one open gap I have. So far, in OPNsense firewall I only applied rules to inbound but never to outbound. Here I am not yet sure if I can transfer this philosophy.
Generally, you'll mostly want inbound rules. This explainer is for Cisco IOS, but the concept is the same.
 
  • Like
Reactions: tubs-ffm

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
You want these hosts to only have this internal access, but them unlimited internet access, correct? After these entries, I think you want:
Yes, you are right. I need these rules even in my network topology.
Somehow, I had a different understanding. But here is a good place to lean.

But still not working. I have a fundamental mistake in my routing.
This topic getting discussed here:

I have a basic question to inter (V)LAN routing and the related network topology with two routers in it.
 

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
Still I am stuck with the ACL.

My routing issues are solved. Without ACL all is working correctly. I can connect between both networks LAN and DMZ in both directions to to outside. This now allows me to focus on ACL and narrow down any unwanted behaviour to the ACL config.

But as soon I set-up my ACL I cannot connect anymore between the two networks. I am running out of ideas what I am doing wrong.

ACL for LAN - router interface ve1 (192.168.1.0/24)
Code:
no ip access-list extended lan2dmz
ip access-list extended lan2dmz

remark allow host to host in same VLAN and from outside
permit ip any 192.168.1.0/24

remark allow some hosts from lan to dmz
permit tcp 192.168.1.0/24 192.168.10.0/24 eq ssh
permit tcp 192.168.1.0/24 host 192.168.10.20 eq 25
remark some more permit rules ...

remark deny all other to DMZ
deny ip 192.168.1.0/24 192.168.10.0/24
remark allow everything else to everywhere
permit ip any any

int ve 1
ip access-group lan2dmz in
exit
ACL for DMZ- router interface ve10 (192.168.10.0/24)
Code:
no ip access-list extended dmz2lan
ip access-list extended dmz2lan

remark allow host to host in same VLAN and from outside
permit ip any 192.168.10.0/24

remark permit some host from DMZ to LAN
permit tcp 192.168.10.0/24 host 192.168.1.15 eq dns
permit udp 192.168.10.0/24 host 192.168.1.15 eq dns
permit tcp host 192.168.10.20 host 192.168.1.40 eq 25
remark some more permit rules ...

remark deny all other DMZ to LAN
deny ip 192.168.10.0/24 192.168.1.0/24
remark allow everything else to everywhere
permit ip any any

int ve 10
ip access-group dmz2lan in
exit
Any idea where the logic mistake is?
 

rocketpanda40

Member
Dec 12, 2019
39
24
8
But as soon I set-up my ACL I cannot connect anymore between the two networks.
How are you testing this? Ping? SSH? Something else?

You haven't permitted icmp ping from LAN to DMX (unless you just omitted it), so it won't ever leave lan. You did permit ssh from lan to dmz, but you did not permit dmz to actually establish that connection. You probably want something like this in you dmz list, before the deny to lan rule.

Code:
permit tcp 192.168.10.0/24 192.168.1.0/24 established
If any of this is incorrect, I would suggest posting your complete acls so we can make sure we're not missing anything.
 
  • Like
Reactions: tubs-ffm

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
How are you testing this? Ping? SSH? Something else?

You haven't permitted icmp ping from LAN to DMX (unless you just omitted it), so it won't ever leave lan. You did permit ssh from lan to dmz, but you did not permit dmz to actually establish that connection. You probably want something like this in you dmz list, before the deny to lan rule.
Thank you very much. If you know the answer to any problem, every problem seems to be so easy.

Yes, I used ping, ssh and http for testing. For ping it should have been clear to me. But that I need established I was not aware of. This was not needed in OPNsense. But with your help now it is clear to me and with these additional lines it is working:

Code:
permit tcp 192.168.10.0/24 192.168.1.0/24 established
permit icmp 192.168.10.0/24 192.168.1.0/24 echo-reply
I still need to check in detail and transfer the rules to the IPv6 config, but it looks so far OK.
 

rocketpanda40

Member
Dec 12, 2019
39
24
8
Thank you very much. If you know the answer to any problem, every problem seems to be so easy.

Yes, I used ping, ssh and http for testing. For ping it should have been clear to me. But that I need established I was not aware of. This was not needed in OPNsense. But with your help now it is clear to me and with these additional lines it is working:
Believe me, I've spent days troubleshooting homelab problems only to end up with a one-line fix many times. It's frustrating but also enlightening.

As far as the established rule: what this is doing is only allowing DMZ to communicate to LAN hosts when a LAN host first reached out to a DMZ host with a tcp connection. It will not allow a DMZ host to initiate a new TCP connection to a LAN host.
 

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
As far as the established rule: what this is doing is only allowing DMZ to communicate to LAN hosts when a LAN host first reached out to a DMZ host with a tcp connection. It will not allow a DMZ host to initiate a new TCP connection to a LAN host.
Thank you. The principle I understood. Once you gave the hint to me, I was able to get the right information out of the manual.

For testing purpose and to get a better understanding how these rules are working I "played" a little bit line by line. I discovered one behavior that I cannot explain.

I use this line to allow host to host communication in the same network:
Code:
remark allow host to host in same VLAN and from outside
permit ip any 192.168.1.0/24
Then I use these line to allow management access to the ICX:
Code:
remark allow LAN to switch management
permit tcp 192.168.1.0/24 host 192.168.1.1 eq ssh
permit tcp 192.168.1.0/24 host 192.168.1.1 eq http
permit tcp 192.168.1.0/24 host 192.168.1.1 eq ssl
Fine, all is working. When I remove the second part the management access is not working anymore. But acc. my understanding it should because of the line above. The host 192.168.1.1 is part of the network 192.168.1.0/24. This I do not understand.

Just in case here the complete rule set:

Code:
no ip access-list extended lan
ip access-list extended lan

remark allow host to host in same VLAN and from outside
permit ip any 192.168.1.0/24

remark allow connection to connections opened from DMZ
permit tcp 192.168.1.0/24 192.168.10.0/24 established

remark allow LAN to switch management
permit tcp 192.168.1.0/24 host 192.168.1.1 eq ssh
permit tcp 192.168.1.0/24 host 192.168.1.1 eq http
permit tcp 192.168.1.0/24 host 192.168.1.1 eq ssl

remark permit some host from LAN to DMZ
permit icmp 192.168.1.0/24 192.168.10.0/24
permit tcp 192.168.1.0/24 192.168.10.0/24 eq http
permit tcp 192.168.1.0/24 192.168.10.0/24 eq ssl
permit tcp 192.168.1.0/24 192.168.10.0/24 eq ssh
permit tcp 192.168.1.0/24 192.168.10.0/24 eq ftp
permit tcp 192.168.1.0/24 host 192.168.10.20 eq 8006
permit tcp 192.168.1.0/24 host 192.168.10.20 eq 26
permit tcp 192.168.1.0/24 192.168.10.0/24 eq 8083
permit tcp 192.168.1.0/24 192.168.10.0/24 eq 9090
permit tcp 192.168.1.0/24 host 192.168.10.60 eq 5001
permit tcp 192.168.1.0/24 host 192.168.10.60
permit udp 192.168.1.0/24 host 192.168.10.60

remark deny all other to DMZ
deny ip 192.168.1.0/24 192.168.10.0/24
remark allow everything else to everywhere
permit ip any any

int ve 1
ip access-group lan in
exit
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,562
2,753
113
31
fohdeesha.com
it's important to remember that ACLs only get applied to traffic coming into the VE from a port - not to traffic routed to the VE from another VE

so if you have a rule inbound on ve1, and your network looks like this: bad person > ve 2 > ve 1 > target - the rule on ve 1 won't do anything against bad person. you'd need the appropriate rule on ve 2, as that's where his traffic is entering/leaving the switch
 
  • Like
Reactions: rocketpanda40

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
it's important to remember that ACLs only get applied to traffic coming into the VE from a port - not to traffic routed to the VE from another VE

so if you have a rule inbound on ve1, and your network looks like this: bad person > ve 2 > ve 1 > target - the rule on ve 1 won't do anything against bad person. you'd need the appropriate rule on ve 2, as that's where his traffic is entering/leaving the switch
Thank you. This is a good explanation. I guess I got it right.

What I want to achieve is to use the ICX as L3 switch to route limited access between the two networks ve1 (LAN) and ve10 (DMZ) due to 10 GBit network. Before it was a router-on-a-stick set-up. All access control from outside is handled by the firewall. The other VLAN are L2 switching only and does not have access to anywhere else than to the internet. By this set-up I assume that all what is coming to the switch via ve5 is save and I only control from ve 10 to ve 1 and from ve 1 to ve 10.

But please correct me if there is something wrong in my logic.

(LAN network range on the picture is different to text above)
Network.png
 

tubs-ffm

Active Member
Sep 1, 2013
122
39
28
it's important to remember that ACLs only get applied to traffic coming into the VE from a port - not to traffic routed to the VE from another VE
Checking more in detail, your advice already was helpful. My ACL on ve10 to block the access from DMZ to the switch IP on this router interface does not protect to access the router interface on ve5 from same DMZ network.

It looks like ACL easily can get quite complex even it is a simple network. It is hard to imagine for me how to handle this in a more complex network.