vSphere 5.5 | DVS | ACL

HansdeJongh · ‎09-27-2013

So i was so pleased to see that vsphere 5.5 would support acl's on dvs.

Then i started implementing it.

so i got a portgroup with 2 vms in it:

they have the following ip: x.x.x.236 and x.x.x.237

I created the following rule:

action: drop

traffic direction: egress

protocol is icmp

source ip address any

destination is no x.x.x.254

now i ping 2 ip's (x.x.x.1 and x.x.x.254) from both vm's. Only the .254 works (ofcourse.)

But then i create the next rule:

action: drop

tarffic direction: egress

protocol is any

source ip is any

destination ip is any

after applying, i cant ping the .254 anymore?

what am i doing wrong?

regards

MKguy · ‎09-30-2013

I haven't played with dvSwitch ACLs myself yet, but this seems pretty self-explanatory if you ever had to do with firewalling rules. Packets are matched against the rule base in order until the first rule applies.

If you only have the first rule, it does not apply to pinging .254. So the implicit default rule is used to decide what to do. In this case with ACLs it's a default "allow any" rule and the packet is forwarded.

Now if you implement the 2nd rule, which denies any traffic, it will also drop what was previously allowed by the implicit "allow any" rule because this rule is checked before the implicit rule. Obviously you won't be able to communicate via ICMP pings (or any other traffic) anymore because this rule drops everything.

What you need is an explicit rule allowing pings to .254, that comes before the drop all rule in your rule base. Change the first rule to "allow" and the destination to .254 (without negation).

-- http://alpacapowered.wordpress.com

HansdeJongh · ‎09-30-2013

we are talking about non statefull rules, so firewall rules have nothing to do with it.

What im used to with ACL's on switch level (this is what vmware is trying to do) it will stop processing rules when it hits a rule "says" something about the rule.

So if i allow ICMP and what to disallow everything else i first create a rule which allows icmp and blocks everything else.

With some switch brands you dont even have to create a drop all rule. It will drop everything when there is no matching rule.

chriswahl · ‎10-01-2013

HansdeJongh wrote:

But then i create the next rule:

action: drop

tarffic direction: egress

protocol is any

source ip is any

destination ip is any

after applying, i cant ping the .254 anymore?

what am i doing wrong?

Your first rule is a drop rule. And then this rule is also a drop rule. You have not created any allow rules.

The rule you describe is designed to drop all traffic. It is literally "Drop all egress traffic of any protocol, from any source, to any destination." It is working as intended.

Typically you create drop rules for what you wish to block, and then follow up with a "permit any any" type of rule.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators

HansdeJongh · ‎10-18-2013

it is not working as intended. Vmware support already concluded that and filled a PR.

With acl's you create an allow rule, with some switching brands everything else is dropped without creating a drop rule. But with some you still have to create a drop all rule.

chriswahl · ‎10-18-2013

Perhaps you copied your rules down incorrectly when you shared them? Because you stated that you created this rule:

action: drop

tarffic direction: egress

protocol is any

source ip is any

destination ip is any

If you read that rule, it literally says "drop all traffic" - and then your traffic is dropped. How is this not working as intended?

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators

HansdeJongh · ‎10-18-2013

your overlooking the "no" part in the first drop rule.

but lets put it differently.

What if i want to disallowe EVERYTHING except icmp to .254 how should i do that.

chriswahl · ‎11-04-2013

What if i want to disallowe EVERYTHING except icmp to .254 how should i do that.

You'd just need a permit statement for that traffic prior to a matching drop rule.

Do a logical walkthrough:

Rule 1 =

action: drop

traffic direction: egress

protocol is icmp

source ip address any

destination is no x.x.x.254

This is a drop rule, so it is looking for traffic to drop. Your ICMP packet to x.x.x.254 does not match this rule. The ACL moves on to the next rule.

Rule 2 =

action: drop

tarffic direction: egress

protocol is any

source ip is any

destination ip is any

This is a drop rule, so it is looking for traffic to drop. Your ICMP packet to x.x.x.254 DOES match this rule. The packet is droped.

Instead, make sure Rule 1 is a permit that allows traffic matching your x.x.x.254 traffic. The ACL will match the rule to the traffic and permit it and stop looking at the rules, even if there is a drop rule further down the list.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators

HansdeJongh · ‎11-04-2013

Do a logical walkthrough:

Rule 1 =

action: drop

traffic direction: egress

protocol is icmp

source ip address any

destination is no x.x.x.254

first action: drop

direction = egress

protocol = icmp

source ip = any

destination is everything EXCEPT x.x.x.254

so this rule drops ALL icmp EXCEPT to x.x.x.254

chriswahl · ‎11-05-2013

so this rule drops ALL icmp EXCEPT to x.x.x.254

Correct. The ICMP packet is then dropped because of Rule 2. If you want to allow only ICMP to x.x.x.254, the rules would look like this:

Rule 1

action: permit

traffic direction: egress

protocol is icmp

source ip address any

destination is x.x.x.254

Rule 2

action: drop

tarffic direction: egress

protocol is any

source ip is any

destination ip is any

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators

yonish · ‎11-05-2013

I also add a simalr problem.

x.x.x.x to x.x.x.x drop

and then x.x.x.x to any or to x.x.x.y/24 there was java problem.

All

vSphere 5.5 | DVS | ACL