Understanding ACL on SG3428X-M2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Understanding ACL on SG3428X-M2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Understanding ACL on SG3428X-M2
Understanding ACL on SG3428X-M2
2024-06-11 08:35:43 - last edited 2024-06-11 09:15:59
Model: TL-SG3428X-M2  
Hardware Version: V1
Firmware Version: 1.20

I have SG3428X-M2 L2+  switch with V1.20 firmware.

I managed to create VLANs, specific DHCP IP ranges for VLANs and I think I understand this.

Then I start digging into switch ACL with purpose to isolate inter VLANs access.

I have VLAN 60 with IPs in range 192.168.60.x and VLAN 20 with IPs in range 192.168.20.x.

In VLAN 20 I have two servers with IP 192.168.20.2 and 192.168.20.3  which have ssh enabled and web server listening on port 443 and port 80

For isolating the VLANs I set myself this goal:

  1. Block all the traffic from 192.168.60.x to 192.168.20.x with two exceptions
  2. Allow traffic on all the ports from IP 192.168.60.2 to 192.168.20.2
  3. Allow traffic on port 443 only from IP 192.168.60.3 to 192.168.20.2
     

With a lot of trying/destroying/rebuilding and combining and reading the manuals and internet sources I came to following configuration of ACL with ID 501 and Name “PrviACL”. The CLI version of configuration of rules is shown:


access-list ip 501 rule 300 permit logging disable sip 192.168.60.2 sip-mask 255.255.255.255 dip 192.168.20.2 dip-mask 255.255.255.255
access-list ip 501 rule 306 permit logging disable sip 192.168.60.3 sip-mask 255.255.255.255 dip 192.168.20.2 dip-mask 255.255.255.255 protocol 6 d-port 443 d-port-mask ffff
access-list ip 501 rule 310 deny logging disable sip 192.168.60.0 sip-mask 255.255.255.0 dip 192.168.20.0 dip-mask 255.255.255.0
access-list ip 501 rule 315 permit logging disable

 

This ACL is then bound to VLAN 20.

It works almost as intended however I think I don’t understand all the logic and I am not sure if complete isolation goal is covered. In my head the following questions marks appear:

  1. Is this configuration and sequence of rules accurate/optimal for my goal?
  2. What is purpose to bind an ACL to specific VLANs … isn’t it obvious from IP or MAC address which packet should be treated by ACL?
  3. Why this ACL have to be bound to VLAN 20  …. or on the other hand will it be better if I create different set of rules for the ACL and then bind ACL to VLAN 60. Basically I don’t understand if for my case it means that I am isolating VLAN 60 from VLAN 20 or opposite … that I am isolating VLAN 20 from VLAN 60. So, I also don’t understand where/how to start designing rules. 
  4. For rule 306: why must specify port 443 exactly for the d-port, but not for s-port or both?
  5. Now this set of rules allow all traffic from IP 192.168.60.2 to 192.168.20.2 but also from 192.168.20.2 to 192.168.60.2, on the other hand traffic from 192.168.20.2 to 192.168.60.3 is blocked. And I don’t understand which rules allow traffic 192.168.20.2 to 192.168.60.2, but prevent 192.168.20.2 to 192.168.60.3.

 

It will be helpful to get some answers/comments/guidance about good practice of designing ACLs. I watch/read a lot of youtube+reddit+forums articles, but still I can't get the whole picture of how to start designing rules for more complex configuration of VLANs and rules. Maybe I should fight little more and I will realize ...

Regards,

Sašo

 

 

  0      
  0      
#1
Options
2 Reply
Re:Understanding ACL on SG3428X-M2
2024-06-12 06:04:42

Hi @SasoC 

Thanks for posting in our business forum.

This is how ACL works. You are on the right track.

1. Correct. Block and allow.

2. OSI model. From layer 1 to layer 3, each needs to be specified. Many rules follow this order to bind.

3. It does not matter. As long as it one side is blocked, that communication is not through. You can create duplicate entries but you'll get the same results.

4. Because you are accessing HTTPS. The initiative(SRC) port may be random but you are accessing the HTTPS, so the source is definitive.

5. Are you using the router or switch as the VLAN interface?

Anyway, you should check if there is a rule blocking the access between the two. As long as there is one blocking, the comm is not through. For the router VLAN interface, by default, the inter-VLAN traffic is allowed.

You allowed 60.2 to 20.2, this is expected. Rules you created allow the back-and-forth traffic.

20.2 to 60.3, no rules are allowed as you have blocked the 20.X and 60.X.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:Understanding ACL on SG3428X-M2
2024-06-12 09:49:53

  @Clive_A , thank you for your answers and comments.

Regarding your question at point 5: I am using the switch as the VLAN interface. 

Right now, I study the switch (VLANs and ACLs) without connectiong to a router. When I will be sure, I understand this, I will connect to router and internet. Router will be OPNSense box and will be only used for WAN tasks (firewall from internet, VPN, ...) and will not know anything about VLANs on the switch. Hope this will hold the waterfrown.

 

Sašo

  1  
  1  
#3
Options