I have a set-up with 3 VLANs:

• Secure

• IoT

• Guest

I have Gateway ACLs (since I need them to be stateful) to:

• Block IoT access to Secure and Guest

• Block Guest access to Secure and IoT

I'm now wondering how best to grant IoT and Guest access to certain shared resources (DNS servers and a NAS) that exist on the Secure network.

It looks like LAN->LAN Gateway ACLs only allow Network->Network mappings, so it seems that I can't add these exceptions via a Network->IP-Port-Group mapping at the Gateway ACL level.

Given that I assume ACLs are hierarchical (AP -> Switch -> Gateway), I don't think I can solve this by just adding a Switch ACL (which does allow Network->IP-Port-Group mappings) as even if the Switch allowed it, the Gateway would block it?

The only solution I can currently think of is to create an additional Shared VLAN and have that host the DNS servers and NAS. That VLAN would be allowed at the Gateway level which means I should be able to use Switch ACL rules to manage access from the other VLANs.

Does that sound reasonable, or is there a better way to do this?