Optimizing access control lists on a Cisco SG500X-48 Small Business switch

[Kit]

I am trying to optimize the access control list rules on a Cisco SG500X-48 Small Business switch (on Layer 3). The general aim is to regulate the traffic between two VLANs (e.g., 10 and 30) in such a way that VLAN 30 has access to VLAN 10, but only for specific protocols, while VLAN 10 has no access at all to VLAN 30.

Thus far I have configured the switch only for ICMP and HTTP as an initial test, like this:

Extended IP access list VLAN 10 Test 1
permit icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 10 type echo-reply code any
permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 www ace-priority 20
permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 100

and applied this as an ingress ACL to VLAN 10. As a result:

- VLAN 30 can ping VLAN 10
- VLAN 30 can access VLAN 10 on HTTP (but cannot access any other service in VLAN 10)
- VLAN 10 has no access to VLAN 30 whatsoever

So far, so good. However, as I need to configure such ACL entries for multiple protocols on multiple VLANs, I wondered if I couldn´t minimize the required entries by first allowing the requests from VLAN 30 to VLAN 10 from TCP any to any port:

permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 any ace-priority 20

and then permitting the replies from VLAN 10 only for the ports corresponding to the services that I wish to allow to respond to the requests:

permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
permit tcp 192.168.10.0 0.0.0.255 telnet 192.168.30.0 0.0.0.255 any ace-priority 22
permit tcp 192.168.10.0 0.0.0.255 ssh 192.168.30.0 0.0.0.255 any ace-priority 23
…

Unfortunately, this doesn´t seem to work, as when I configured and applied to VLAN 10 the following ACL on the switch:

Extended IP access list VLAN 10 Test 2
permit icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 10 type echo-reply code any
permit tcp 192.168.30.0 0.0.0.255 any 192.168.10.0 0.0.0.255 any ace-priority 20
permit tcp 192.168.10.0 0.0.0.255 www 192.168.30.0 0.0.0.255 any ace-priority 21
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ace-priority 100

VLAN 30 lost access to VLAN 10 on HTTP. On the contrary, and for a reason as of yet inexplicable to me, VLAN 10 suddenly was able to access VLAN 30 on HTTP, which of course shouldn´t happen.

I searched the web for a deeper explanation of how ACL rules work, but was unable to find anything explaining this behaviour. I guess I might be missing something fundamental. Could you please enlighten me?

Thank you in advance for your time.

 

[coxhaus]

Boy is this late. But with ACLs they are processed in order of the list top to bottom. Once a condition is met then no more processing is done. If you use permits then you must have a deny all at the end. If you use deny then you must have a permit all at the end.

I don't know how granular the small Cisco switches are when it comes to protocols and ACLs. I have arranged my devices in groups of small sub networks rather than protocols. I put all my like devices in the lower subnet or the higher subnet. And then use a subnet with my ACL. Both should technically work. I want the least number of statements as possible to keep everything running fast so I group and group.