Switch ACL Rules don't appear to work
Hi commuinity!
Looking for some advice...
Set up various VLANs as interfaces using the LANs menu for this example; let's call them default and IoT which is two of them.
default on VLAN 1
IoT on VLAN 2
I've set up wireless as default and IoT both using the correct VLAN.
both are acting as DHCP servers so when a client is wired to a port specified as default, they get a 192.168.1.X IP and for the IoT they get 192.168.107.X
The problem arises when I try and create ACL rules.
I want to block traffic from IoT to default network. I therefore create this under switch ACL;
As soon as I do this, I stop ALL inter VLAN communication - including from default to IoT.
Any ideas where I am going wrong?!
I am using the following hardware;
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @MikeyG23
Thanks for posting in our business forum.
What you are looking for is ACL Guide Compilation.
If you want unidirectional ACL, you gotta use the Gateway ACL instead of Switch ACL. Switch ACL does not support stateful ACL.
When you block one side to another, it, of course, Switch ACL is stateless and it blocks the one direction access/ping to the other, the reply cannot get back, as your computer that is used for ping thinks the other side does not respond.
If you want to do this, unidirectional, you gotta use GW ACL.
- Copy Link
- Report Inappropriate Content
Hi @MikeyG23
Thanks for posting in our business forum.
What you are looking for is ACL Guide Compilation.
If you want unidirectional ACL, you gotta use the Gateway ACL instead of Switch ACL. Switch ACL does not support stateful ACL.
When you block one side to another, it, of course, Switch ACL is stateless and it blocks the one direction access/ping to the other, the reply cannot get back, as your computer that is used for ping thinks the other side does not respond.
If you want to do this, unidirectional, you gotta use GW ACL.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
You can build a single 2-directional switch ACL rule, but you have to start using IP groups
EG
Create an isolation rule so each network cannot talk to the others
Source. >. Destination
Network 1 Network 2
this will isolate network 1 from network 2, effectively in both directions (as responses will be blocked in the non-defined route as well)
However, adding above this rule an ALLOW rule with ip groups, the same IP group on each side of the rule.
192.168.10.100 > 192.168.10.100
192.168.20.200 192.168.20.200
(note you have to list all the different devices in a single IP group, thereby allowing the whole list to itself, which will allow them to talk two-way)
would allow two way communication between those 2 devices on the two networks that cannot otherwise talk to each other, all in a single, simple rule. everything else would be blocked by the isolation rule below it
How this works
This IP group rule has all the different individual devices (or even whole subnets, or a mini subnet, you can specify anything) will allow .10.100 to reach out to .20.200. Ordinarily in a one-way Allow rule the response would be blocked, but in this case, because .20.200 is ALSO in the source list, it is allowed to respond - and since all the same IPs are in the destination list, this allows full 2 way communication.
You can use exactly the same technique to build a block list of devices that shouldn't talk to each other (with a deny rule) on networks than CAN already talk to each other.
I hope this makes sense! With switch ACLs some smart thinking can save you rules (there is a limit on how many rules you can have) and can be very flexible. Almost my entire business network security model (many switches, APs, 2 individual businsses, many many clients, public wifi all on one ISP connection) is built on 9 switch ACLs restricting traffic in various directions. I have gateway rules for managing inter-vpn communication WAN OUT DENY to restrict users on remote site LANS from communicating with host site and other remote site lans they shouldnt do. None of my ACL lists are more than 10 rules. Just gotta be smart and combine as much as you can into efficient rules.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 70
Replies: 3
Voters 0
No one has voted for it yet.