Understanding ACL on SG3428X-M2
I have SG3428X-M2 L2+ switch with V1.20 firmware.
I managed to create VLANs, specific DHCP IP ranges for VLANs and I think I understand this.
Then I start digging into switch ACL with purpose to isolate inter VLANs access.
I have VLAN 60 with IPs in range 192.168.60.x and VLAN 20 with IPs in range 192.168.20.x.
In VLAN 20 I have two servers with IP 192.168.20.2 and 192.168.20.3 which have ssh enabled and web server listening on port 443 and port 80
For isolating the VLANs I set myself this goal:
- Block all the traffic from 192.168.60.x to 192.168.20.x with two exceptions
- Allow traffic on all the ports from IP 192.168.60.2 to 192.168.20.2
- Allow traffic on port 443 only from IP 192.168.60.3 to 192.168.20.2
With a lot of trying/destroying/rebuilding and combining and reading the manuals and internet sources I came to following configuration of ACL with ID 501 and Name “PrviACL”. The CLI version of configuration of rules is shown:
access-list ip 501 rule 300 permit logging disable sip 192.168.60.2 sip-mask 255.255.255.255 dip 192.168.20.2 dip-mask 255.255.255.255
access-list ip 501 rule 306 permit logging disable sip 192.168.60.3 sip-mask 255.255.255.255 dip 192.168.20.2 dip-mask 255.255.255.255 protocol 6 d-port 443 d-port-mask ffff
access-list ip 501 rule 310 deny logging disable sip 192.168.60.0 sip-mask 255.255.255.0 dip 192.168.20.0 dip-mask 255.255.255.0
access-list ip 501 rule 315 permit logging disable
This ACL is then bound to VLAN 20.
It works almost as intended however I think I don’t understand all the logic and I am not sure if complete isolation goal is covered. In my head the following questions marks appear:
- Is this configuration and sequence of rules accurate/optimal for my goal?
- What is purpose to bind an ACL to specific VLANs … isn’t it obvious from IP or MAC address which packet should be treated by ACL?
- Why this ACL have to be bound to VLAN 20 …. or on the other hand will it be better if I create different set of rules for the ACL and then bind ACL to VLAN 60. Basically I don’t understand if for my case it means that I am isolating VLAN 60 from VLAN 20 or opposite … that I am isolating VLAN 20 from VLAN 60. So, I also don’t understand where/how to start designing rules.
- For rule 306: why must specify port 443 exactly for the d-port, but not for s-port or both?
- Now this set of rules allow all traffic from IP 192.168.60.2 to 192.168.20.2 but also from 192.168.20.2 to 192.168.60.2, on the other hand traffic from 192.168.20.2 to 192.168.60.3 is blocked. And I don’t understand which rules allow traffic 192.168.20.2 to 192.168.60.2, but prevent 192.168.20.2 to 192.168.60.3.
It will be helpful to get some answers/comments/guidance about good practice of designing ACLs. I watch/read a lot of youtube+reddit+forums articles, but still I can't get the whole picture of how to start designing rules for more complex configuration of VLANs and rules. Maybe I should fight little more and I will realize ...
Regards,
Sašo
@Clive_A , thank you for your answers and comments.
Regarding your question at point 5: I am using the switch as the VLAN interface.
Right now, I study the switch (VLANs and ACLs) without connectiong to a router. When I will be sure, I understand this, I will connect to router and internet. Router will be OPNSense box and will be only used for WAN tasks (firewall from internet, VPN, ...) and will not know anything about VLANs on the switch. Hope this will hold the water
.
Sašo