Thanks, CC. I still can't wrap my head around why/how some IPs on the VLAN would be blocked from each other by the switch's ACL while others would not - block IPs assigned by DHCP (e.g., .50-to-.254) and allow all others?
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Here's what the ACL would look like on the switch:
##Allow traffic from the clients to the gateway -may not be necessary, see ##my note below
permit ip 10.10.10.0 0.0.0.255 host 10.10.10.254
##Denies all traffic from the client subnet, to the client subnet -isolating clients
deny ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
##Permits all traffic that doesn't match the previous two rules
permit ip any any
About the gateway, if you don't have a captive portal or services that need to be reachable from the clients, you don't actually need to allow traffic to it. IP traffic destined for a network outside of the local subnet will not use the IP of the gateway, only it's MAC address. Since this is an IP layer ACL, it won't affect internet bound traffic from the clients.
ACLs are matched in order, and stop when traffic matches a rule, so if packets don't match the first two, they will be allowed per the final rule (it is necessary because ACLs have an implicit "deny all" at the end for packets that don't match any rules).
It's important to note that L2 traffic is not affected. This means that running an ARP ping sweep would allow you to discover the IP addresses of other connected clients. Any attacks which run over TCP/IP would be blocked, however. So recon attacks and ARP poisoning are still a real thing, but your severely limiting your attack surface.
Here's what the ACL would look like on the switch:
##Allow traffic from the clients to the gateway -may not be necessary, see ##my note below
permit ip 10.10.10.0 0.0.0.255 host 10.10.10.254
##Denies all traffic from the client subnet, to the client subnet -isolating clients
deny ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
##Permits all traffic that doesn't match the previous two rules
permit ip any any
About the gateway, if you don't have a captive portal or services that need to be reachable from the clients, you don't actually need to allow traffic to it. IP traffic destined for a network outside of the local subnet will not use the IP of the gateway, only it's MAC address. Since this is an IP layer ACL, it won't affect internet bound traffic from the clients.
ACLs are matched in order, and stop when traffic matches a rule, so if packets don't match the first two, they will be allowed per the final rule (it is necessary because ACLs have an implicit "deny all" at the end for packets that don't match any rules).
It's important to note that L2 traffic is not affected. This means that running an ARP ping sweep would allow you to discover the IP addresses of other connected clients. Any attacks which run over TCP/IP would be blocked, however. So recon attacks and ARP poisoning are still a real thing, but your severely limiting your attack surface.
