Knowledge Base An alternative to Gateway Stateful ACL using Switch ACL
Hey All,
The configuration below is to show an alternative to Stateful Gateway ACL that you can use in your Layer 3 Switching environment (i.e. using Switch for InterVLAN routing).
Edit note: There are two versions of the configuration. If you have the VLANs defined specifically for Layer 3 Switching, use the Layer 3 Switching configuration, if you are using the traditional Gateway VLAN interface for VLANs, use the Gateway version. The logic is the same.
A brief background about Gateway ACL
Gateway ACL works by always allowing Source VLAN (i.e. Home) to trigger two-way communication to Destination VLAN (i.e. IoT).
That is well and great, however, IoT can NEVER initiate the communication, the trigger must always be "Home". So in certain use cases, for example, if an IoT device needs to use a PiHole Server that is in Home VLAN, it will not work because IoT devices can't iniatiate the communication.
An alternative is Switch ACL, however, it is not Stateful so many implementations use "bi-directional" but bi-directional opens up two-way communication which defeats the purpose of blocking in the first place.
I posted a "solution" to it a long time ago here, but it probably didn't show up in search, or if it did, the title isn't very clear.
That post also covered many other use-cases so for this post, I am just focusing on two uses cases; hopefully, it will make Switch ACLs more useful for many use-cases.
Set Up:
192.168.1.x - VLAN 1 - Admin/Management
192.168.10.x - VLAN 10 - Home
192.168.20.x - VLAN 20 - Guest
192.168.30.x - VLAN 30 - Camera
192.168.90.x - VLAN 90 - IoT
For simplicity of this post, I am only covering use cases that affects Home and IoT.
Assumption (Home and IoT VLANs):
- All VLANs have Internet Access
Use Cases:
- Use Case 1
Home VLAN can "ssh" to IoT VLAN but not the other way around. - Use Case 2:
IoT VLAN can "vnc" to Home VLAN but not the other way around
IoT is denied access to all other VLANs
These 2 Use Cases will NOT be possible if Gateway ACL is used because Use Case 1, the Source is Home VLAN and on Use Case 2, the Source is the IoT VLAN.
Tip:
- Replace "ssh", and/or "vnc" with any protocol(s) needed in your environment i.e. FTP(Port 21) DNS(Port 53); HTPPS(Port 443) or refer to this
General Notes:
- Gateway ACL operates on the "Gateway" level and Switch ACL operates on the "Switch" level and EAP works on the EAP level. They work independent of each other.
- ACL works to the closest device first i.e. if you have Gateway <> Switch <> AP <> Client connection, if you have a "Deny" on AP, then no permit on Switch or Gateway will override that AP ACL. Similarly, if you have a Permit at Switch, but the traffic has to go thru the Gateway and Gateway has Deny, then it will not work. Visualize each device as a checkpoint and how you have them interconnected in your network.
- The ACLs work from top to bottom.
- "Permit ALL" is the default Policy.
-
For Granular ACLs, think of it as Whitelisting
Set Up:
- 192.168.1.x - VLAN 1 - Admin/Management
- 192.168.10.x - VLAN 10 - Home
- 192.168.20.x - VLAN 20 - Guest
- 192.168.30.x - VLAN 30 - Camera
- 192.168.90.x - VLAN 90 - IoT
Layer 3 Switch Configuration (see below for Gateway version of the configuration, both versions use Switch ACL)
Switch ACLs:
- Permit Home devices to SSH to IoT devices
Switch ACLs (Layer 3 Switching Version):
Permit Home SSH to IoT
Policy: Permit
Protocols: TCP (or All)
Source > IP Port Group > (Subnet 192.168.90.0/24, Port: 22)
Destination > IP Group > (Subnet 192.168.10.0/24) - Permit IoT devices to VNC to Home devices
Permit IoT VNC to Home
Policy: Permit
Protocols: TCP (or All)
Source > IP Group > (Subnet 192.168.90.0/24)
Destination > IP Port Group > (Subnet 192.168.10.0/24, Ports: 5800, 5900) - Deny IoT To All VLANs
Deny IoT to All
Policy: Deny
Protocols: All
Source > IP Group > (Subnet 192.168.90.0/24)
Destination > IP Group > (Subnet 192.168.1.0/24)
Destination > IP Group > (Subnet 192.168.10.0/24)
Destination > IP Group > (Subnet 192.168.20.0/24)
Destination > IP Group > (Subnet 192.168.30.0/24)
Gateway Version Configuration (see above for Layer 3 Switching version of the configuration, both versions use Switch ACL)
Switch ACLs:
-
Permit Home devices to SSH to IoT devices
Permit Home SSH to IoT
Policy: Permit
Protocols: TCP (or All)
Source > IP Port Group > (Subnet 192.168.90.0/24, Port: 22)
Destination > Network > Home -
Permit IoT devices to VNC to Home devices
Permit IoT VNC to Home
Policy: Permit
Protocols: TCP (or All)
Source > Network > IoT
Destination > IP Port Group > (Subnet 192.168.10.0/24, Ports: 5800, 5900) -
Deny IoT To All VLANs
Deny IoT to All
Policy: Deny
Protocols: All
Source > Network > IoT
Destination > Network > Admin
Destination > Network > Home
Destination > Network > Guest
Destination > Network > Camera
If you would like to see this in action, I have a Layer 3 Switch video that covers this. You do not need to watch the whole thing, but this part is covered at this 24:16 time stamp.
If you are not aware how to do Layer 3 Switching, you may refer to my old post here.
If you are interested to see the whole Layer 3 Switch diagram as well as full ACL configuration, you can watch this video and refer to the diagram below: