Interactions between Gateway and Switch ACLs
I'm trying to further my understanding of the various types of ACLs so I've been experimenting with a simple case (SSH).
Let's say I have 2 VLANs, VLANT (trusted) and VLANU (untrusted, or less trusted).
Test #1:
Rule 1.1 Switch ACL denying all protocols with SRC=Network:VLANU and DST=Network:VLANT.
Result:
I can't SSH either way. Ping either way fails as well.
Explanation:
Failure of traffic initiated from VLANU is expected.
Failure of traffic initiated from VLANT was less expected (by me at least).
Switch ACLs are completely stateless so rule 1.1 throws out reply packets from VLANU to VLANT.
While the requests from VLANT to VLANU make it across, the replies don't and the use cases fail.
FWIW, if there was logging of ACL rules (especially deny rules), it might be a little easier to diagnose/troubleshoot.
Fix #1.1
To allow SSH from any VLANU client to any VLANT server, add
Rule 1.2 Switch Permit ACL for TCP with SRC=Network:VLANU and DST=IPPORTGROUP:VLANT-Subnet&Port=22 (by default). It must be placed before Rule 1.1.
That one is fairly intuitive.
Fix #1.2
To allow SSH from any VLANT client to any VLANU server, add
Rule 1.3 Switch Permit ACL for TCP with SRC=IPPORTGROUP:VLANU-Subnet&Port=22 and DST=Network:VLANT. It must be placed before Rule 1.1.
This one is NOT intuitive IMO. It's actually about allowing replies from the VLANU SSH servers back into VLANT...
Test #2
Rule 2.1 Gateway ACL LAN->LAN denying all protocols from Network:VLANU to Network:VLANT where StateTypes is left to Auto.
Result:
I can't SSH from VLANU to VLANT. Ping from VLANU to VLANT fails as well. Both use cases work from VLANT to VLANU though.
FWIW, with StateTypes left to Auto, I expected to be in the same state as Test #1...
But at least I can wrap my mind around this. This is how I expected the switch ACL to work.
This said, I'm not sure I understand the use case for StateTypes not being Auto...
Non-Fix #2.1
But there's a rub. I don't believe you can add a rule to only allow SSH (or Ping) from VLANU to VLANT.
Gateway rules don't support rules at the port granularity.
Adding rule 1.2 (a Switch ACL) is ineffective.
I take it all the Inter-VLAN routing happens at the router/GW so while the request packets might make through the switches (as opposed to Test #1?), the GW still enforces rule 1.1 and the use case fails.
Summary:
In terms of VLAN isolation, if exceptions aren't needed, Gateway ACLs are more straightforward.
If exceptions are not network wide, then switch ACLs are required but you've got to deal with their stateless nature (changing a Gateway ACL to a Switch ACL with equivalent source and destination is going to block traffic that was not blocked before, namely replies from traffic intiated by the destinations).
HTH.
If I've got any of this wrong, please chime in and I'll fix it.