Interactions between Gateway and Switch ACLs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Interactions between Gateway and Switch ACLs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Interactions between Gateway and Switch ACLs
Interactions between Gateway and Switch ACLs
2024-04-16 21:17:45
Model: OC200  
Hardware Version: V2
Firmware Version: 2.14.4 Build 20240304 Rel.54311

I'm trying to further my understanding of the various types of ACLs so I've been experimenting with a simple case (SSH).

 

Let's say I have 2 VLANs, VLANT (trusted) and VLANU (untrusted, or less trusted).

 

Test #1:

Rule 1.1 Switch ACL denying all protocols with SRC=Network:VLANU and DST=Network:VLANT.

Result:

I can't SSH either way. Ping either way fails as well.

Explanation:

Failure of traffic initiated from VLANU is expected.

Failure of traffic initiated from VLANT was less expected (by me at least).

Switch ACLs are completely stateless so rule 1.1 throws out reply packets from VLANU to VLANT.

While the requests from VLANT to VLANU make it across, the replies don't and the use cases fail.

FWIW, if there was logging of ACL rules (especially deny rules), it might be a little easier to diagnose/troubleshoot.

 

Fix #1.1

To allow SSH from any VLANU client to any VLANT server, add

Rule 1.2 Switch Permit ACL for TCP with SRC=Network:VLANU and DST=IPPORTGROUP:VLANT-Subnet&Port=22 (by default). It must be placed before Rule 1.1.

That one is fairly intuitive.

 

Fix #1.2

To allow SSH from any VLANT client to any VLANU server, add

Rule 1.3 Switch Permit ACL for TCP with SRC=IPPORTGROUP:VLANU-Subnet&Port=22 and DST=Network:VLANT. It must be placed before Rule 1.1.

This one is NOT intuitive IMO. It's actually about allowing replies from the VLANU SSH servers back into VLANT...

 

Test #2

Rule 2.1 Gateway ACL LAN->LAN denying all protocols from Network:VLANU to Network:VLANT where StateTypes is left to Auto.

Result:

I can't SSH from VLANU to VLANT. Ping from VLANU to VLANT fails as well. Both use cases work from VLANT to VLANU though.

FWIW, with StateTypes left to Auto, I expected to be in the same state as Test #1...

But at least I can wrap my mind around this. This is how I expected the switch ACL to work.

This said, I'm not sure I understand the use case for StateTypes not being Auto...

 

Non-Fix #2.1

But there's a rub. I don't believe you can add a rule to only allow SSH (or Ping) from VLANU to VLANT.

Gateway rules don't support rules at the port granularity.

Adding rule 1.2 (a Switch ACL) is ineffective.

I take it all the Inter-VLAN routing happens at the router/GW so while the request packets might make through the switches (as opposed to Test #1?), the GW still enforces rule 1.1 and the use case fails.

 

Summary:

In terms of VLAN isolation, if exceptions aren't needed, Gateway ACLs are more straightforward.

If exceptions are not network wide, then switch ACLs are required but you've got to deal with their stateless nature (changing a Gateway ACL to a Switch ACL with equivalent source and destination is going to block traffic that was not blocked before, namely replies from traffic intiated by the destinations).

 

HTH.

If I've got any of this wrong, please chime in and I'll fix it.

  0      
  0      
#1
Options
2 Reply
Re:Interactions between Gateway and Switch ACLs
2024-04-17 10:09:40

Hi @EricPerl 

Thanks for sharing. To better configure the Gateway ACL and the switch ACL, you may learn the difference between the stateful and stateless ACL.

 

You can point out more details about your concern when you are stuck at the steps to achieve the one-way ACL.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Interactions between Gateway and Switch ACLs
2024-04-17 19:03:42

Hi  @Hank21,

 

If you have resources you can point me too, I'd very much like to learn...

IMO, the official documentation was lacking here and I resorted to experimentation to figure out some of the differences.

Hopefully, as long as it's accurate, other readers can learn from my experiment with this post.

 

Thinking a bit more about this, I have the following comment/suggestion:

Right now, the "guidance" described in my summary feels clunky to me, maybe more based on current limitations of the platform than anything else.

Maybe it would make more sense if the various kind of ACLs applied to devices according to their function.

In other words, with routers dealing with routing across networks/VLANs, gateway WAN/LAN or LAN/LAN ACLs should be used to constrain that routing.

But right now, this is limited by the lack of granular rules at the port level.

Conversely, with switches dealing with traffic within a network, switch ACLs should be used to constrain that traffic.

I'm not sure I have use cases for such rules in that ideal condition. All my use cases for ACLs are around security across VLANs.

Right now, I'm using switch ACLs to block inter-VLAN traffic before it reaches the router/gateway, because I have no choice but to use them as workaround for the lack of more granular gateway ACLs (with the additional caveat of having to deal with their stateless nature).

So at this point, I don't have an opinion on the stateless nature of switch ACLs. In a more ideal world, that might be fine. I don't even know enough about networking to assess whether stateful switch ACLs are possible. They are pretty messy to deal with in my experience.

  0  
  0  
#3
Options