Help with ACLs for inter-VLAN routing (SG350-28)

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,352
A while back I picked up a Cisco SG350-28 switch to replace my HP 1810 (the 1810 was repurposed elsewhere). Overall, the SG350 works really well, but I'm having trouble writing ACLs that work the way I want.

I have 3 VLANs, 1 trusted/internal, one untrusted/guest, and one for security cameras (not really being used at the moment, low priority). I was hoping to allow traffic from my internal/trusted network into the untrusted network to allow some services to be put there for one-way traffic, and maybe an occasional nmap scan to just keep an eye on things. However, unless I'm missing something, the SG350 does not have any stateful connection tracking, or "reflexive"/established network tracking on the ACLs. They are strictly processed upon ingress to the switch. Am I missing something?

If I understand things correctly, I can track the TCP connections by denying SYN flags and allowing... ACK, FIN, RST? That should deal with TCP traffic, but with other traffic (UDP) that won't help at all. As I understand it, UDP traffic is stateless and is only tracked by some voodoo stateful tracking by a router/firewall device.

So the only way to get around this to have full connection back and forth is to either allow only traffic between the subnets and specific hosts, or to create another VLAN for the services and allow connections to it from the two VLANs but not directly to each other ( trusted <--> network service <--> untrusted).

Any other suggestions? I know the SG350 is no Catalyst, but it actually works pretty well so far and I got a pretty fair price on it. Setting up a dynamic LACP with VLANs was cake on the Cisco side compared to my HP 2530.
 

SamirD

2[H]4U
Joined
Mar 22, 2015
Messages
3,844
I've run into this before and the only solution I also could come up with was the '3 vlans' scenario where you have a vlan that both can connect to, but that limits connection between the two main vlans.
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,352
Thanks SamirD, at least I know I'm on the right path. :) Seems like some potential security issues, and I'm trying to keep the network as flat as I can, but it's a home network and should be just fine.

I'm having some trouble with a few systems not wanting to talk across subnets, but I'm guessing that's firewall issues or something.
 

Buxtehude

n00b
Joined
Oct 20, 2020
Messages
1

Hello, iroc409,​

I found your question and this thread very helpful.

Did you figure out a solution for this?​

I just bought SG350 and planning to make 3 VLANS with it.​

If you have any info or suggestions, I'd very much appreciate it.​

Thank you so much!
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,352

Hello, iroc409,​

I found your question and this thread very helpful.

Did you figure out a solution for this?​

I just bought SG350 and planning to make 3 VLANS with it.​

If you have any info or suggestions, I'd very much appreciate it.​

Thank you so much!

Hello Buxtehude,

The 3 VLANs SamirD and I talked about above would work pretty well.

I thought about my needs though, and I only needed two connections made between VLANs, so basically I just allowed those. I tried out a number of things and this seemed to be the best-ish solution for me at the time.

For the camera network, I have the camera server and the cameras. That network blocks everything from going anywhere except the server, which can reach the internet for updates. I punched a hole through to allow the trusted network to connect to the camera server (RDP, web access, etc). That allows me to connect to it without unwanted traffic.

The other resource I needed was my DNS server (PiHole). I experimented with a number of things, but finally I just have my DNS sitting on my trusted network and allow the untrusted network to connect to it at port 53 for DNS inquiries only, and the server can reply back to anyone in that network. I didn't want to have separate DNS, and I was also having trouble with it working in different ways, so that's how I settled with it. Not maybe as secure as some things, but A) it's a home network and B) less things to manage, which is good for (A). I've done it this way in the past without issue.

I hope that helps.
 
Top