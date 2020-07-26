A while back I picked up a Cisco SG350-28 switch to replace my HP 1810 (the 1810 was repurposed elsewhere). Overall, the SG350 works really well, but I'm having trouble writing ACLs that work the way I want.



I have 3 VLANs, 1 trusted/internal, one untrusted/guest, and one for security cameras (not really being used at the moment, low priority). I was hoping to allow traffic from my internal/trusted network into the untrusted network to allow some services to be put there for one-way traffic, and maybe an occasional nmap scan to just keep an eye on things. However, unless I'm missing something, the SG350 does not have any stateful connection tracking, or "reflexive"/established network tracking on the ACLs. They are strictly processed upon ingress to the switch. Am I missing something?



If I understand things correctly, I can track the TCP connections by denying SYN flags and allowing... ACK, FIN, RST? That should deal with TCP traffic, but with other traffic (UDP) that won't help at all. As I understand it, UDP traffic is stateless and is only tracked by some voodoo stateful tracking by a router/firewall device.



So the only way to get around this to have full connection back and forth is to either allow only traffic between the subnets and specific hosts, or to create another VLAN for the services and allow connections to it from the two VLANs but not directly to each other ( trusted <--> network service <--> untrusted).



Any other suggestions? I know the SG350 is no Catalyst, but it actually works pretty well so far and I got a pretty fair price on it. Setting up a dynamic LACP with VLANs was cake on the Cisco side compared to my HP 2530.