Switch ACLs- Need tips with my Stateless ACLS

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Switch ACLs- Need tips with my Stateless ACLS

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Switch ACLs- Need tips with my Stateless ACLS
Switch ACLs- Need tips with my Stateless ACLS
2024-02-27 10:45:18 - last edited 2024-03-03 14:03:58
Model: SG2008P  
Hardware Version: V3
Firmware Version: Original

Good day!

 

I'm reaching out as I have been trying to set-up VLANS for better security and to keep IOT devices isolated from the main network.

I have a TL-SG2008P version 3 switch. I'm assuming it probably has stateless acls rather than stateful acls, and am trying to set up the acls correctly.

 

I'm not the expert on the topic, please check my ACLs below and lemme know whether I should add a corresponding line for the return traffic for each of the rules below.

 

Let's say I have vlan20 (in the 192.168.20.1/24 range) and vlan 30 (in the 192.168.30.1/24 range).

I want vlan20 to get an IP from dhcp, to get access to dns server, to get access to internet, and to not be able to contact NOR be contacted by vlan30.

 

Interface: Vlan20 acl list in order:

1- ALLOW any ip on port 68 to access any ip on UDP port 67 (contacting dhcp server)

Will the DHCP server be able to reply?

 

2- ALLOW 192.168.20.1/24  access to DNS server on UDP port 53

Will the DNS server be able to reply?

 

3- DENY 192.168.20.1/24  access to 192.168.30.1/24

Do I need a rule to state the opposite such as DENY 192.168.30.1/24  access to 192.168.20.1/24?

 

4- ALLOW 192.168.20.1/24  access to router on port 80 and 443 to get internet

Will I receive the packets from internet after requesting?

 

5- DENY any ip access to any ip on any protocol

 

Which ACLs require an extra line for return traffic? I think what I can't understand is whether a reply to a request from A --> B  (B replying here) is accounted for separately from a request initiated by B --> A. So if the first is allowed, but the second is disallowed, is B still allowed to reply to a request made from A. Can't find the answer anywhere reallyy.

 

Hope this was clear and to the point, thanks a million!

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:Switch ACLs- Need tips with my Stateless ACLS-Solution
2024-02-28 02:40:13 - last edited 2024-03-03 14:03:58

Hi @Matt677 

Thanks for posting in our business forum.

It is stateless.

If you have a block all in the end, you should make sure the both-way, bidirectional, A(VLAN20) to B(VLAN30) to be able to contact each other.

For example, DHCP, your client is 68(SRC), to server 67(DST), you should be able to get server 67(SRC) to 68(DST). Get it? You need two to make a forth and back connection.

 

If you get this, you should be fine with the rest of them. Note if some protocols are not using a static port, that would be very troublesome, basically, it is impossible to make them work. Only static ports can be added to the ACL.

 

About the deny rule, one denial is enough because it is stateless and bidirectional - communication is bidirectional. You should know what I mean.

 

About the Internet thing, I think you should allow all ports to all ports, think about how you may need other access not just HTTP and HTTPS. You just narrow down the access to just two. You sure?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
2 Reply
Re:Switch ACLs- Need tips with my Stateless ACLS-Solution
2024-02-28 02:40:13 - last edited 2024-03-03 14:03:58

Hi @Matt677 

Thanks for posting in our business forum.

It is stateless.

If you have a block all in the end, you should make sure the both-way, bidirectional, A(VLAN20) to B(VLAN30) to be able to contact each other.

For example, DHCP, your client is 68(SRC), to server 67(DST), you should be able to get server 67(SRC) to 68(DST). Get it? You need two to make a forth and back connection.

 

If you get this, you should be fine with the rest of them. Note if some protocols are not using a static port, that would be very troublesome, basically, it is impossible to make them work. Only static ports can be added to the ACL.

 

About the deny rule, one denial is enough because it is stateless and bidirectional - communication is bidirectional. You should know what I mean.

 

About the Internet thing, I think you should allow all ports to all ports, think about how you may need other access not just HTTP and HTTPS. You just narrow down the access to just two. You sure?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:Switch ACLs- Need tips with my Stateless ACLS
2024-03-03 14:07:26

  @Clive_A 

Thanks a lot!!

Super clear, yeah I took a few more days to do further reading and based on your suggestions, I managed to set up everything:)

  1  
  1  
#3
Options