Gateway ACL rule doesn't work, but same rule on Switch ACL works

I am a beginner and I would like to understand why if I create a Gateway ACL that denies all protocols from VLAN 10 to VLAN 01 (as in first image), it doesn't work. In fact I would expect that the PC on VLAN 10 would stop ping the device on VLAN 01 but it doesn't!
Instead if I create the same exact rule but on Switch ACL (as in second image), it works as expected and the PC on VLAN 10 can't ping the device on VLAN 01 anymore.
Is Gateway ACL completely useless?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
It takes a few seconds for gateway ACLs to kick-in once you active the rule. And, if you are actively pinging something that will be considered a current session going through the firewall and will continue until you break the cycle - as you noted. this is normal. it doesn't indicate that the rules don't work.
As said above - switch rules ate stateless and therefor there is no connection tracking. This means that in effect a rule that block say vlan 1 > vlan 10 will also inherently block vlan 10 > vlan 1 since either the reach-out or the response will be blocked by the same rule
- Copy Link
- Report Inappropriate Content
With the gateway ACL, if your PC on VLAN 10 is pinging the gateway on VLAN 1, you will get a response. If your PC pings any other device on VLAN 1, it should not get a response. The gateway is always accessible unless you create an ACL to deny access to the Gateway Management Page..
Switch ACLs are stateless, which means the switch does not remember anything about an established connection. If you do not have a switch ACL to allow the ping response, then the response will never be seen and that is why everything appears to be working with the switch ACL.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
It takes a few seconds for gateway ACLs to kick-in once you active the rule. And, if you are actively pinging something that will be considered a current session going through the firewall and will continue until you break the cycle - as you noted. this is normal. it doesn't indicate that the rules don't work.
As said above - switch rules ate stateless and therefor there is no connection tracking. This means that in effect a rule that block say vlan 1 > vlan 10 will also inherently block vlan 10 > vlan 1 since either the reach-out or the response will be blocked by the same rule
- Copy Link
- Report Inappropriate Content
@GRL Thank you very much for the clarification
- Copy Link
- Report Inappropriate Content

Information
Helpful: 0
Views: 103
Replies: 4
Voters 0
No one has voted for it yet.