[OT] Network switch config question

[Scott Ehrlich]

I know this is not Linux-related, but I wanted to gain the network
wisdom of the list nonetheless.  If I shouldn't post such a question
again to this list, I'll let the moderator(s) yell at me :-)

I have a Dell 6224 managed switch.

This is all on an isolated LAN - I want a scenario where I allow all
protocols - ip, tcp, udp, icmp, igmp to pass between one external host
and a handful of hosts on the switch, blocking any other hosts on the
switch from talking to the handeful of hosts and from the external
host, and blocking the external host from talking to the "other hosts"
on the switch.



I set up some rules as follows:

access-list test10 permit ip 192.168.1.5 0.0.0.0 172.16.1.10 0.0.0.0

access-list test10 permit udp 192.168.1.5 0.0.0.0 172.16.1.10 0.0.0.0

[snip - repeated for rest of protocols]

access-list test10 permit ip 172.16.1.10 0.0.0.0 192.168.1.5 0.0.0.0

access-list test10 permit udp 172.16.1.10 0.0.0.0 192.168.1.5 0.0.0.0


[snip - repeated for rest of protocols]

access-list test20 permit ip 192.168.1.6 0.0.0.0 172.16.1.10 0.0.0.0

access-list test20 permit udp 192.168.1.6 0.0.0.0 172.16.1.10 0.0.0.0

[snip - repeated for rest of protocols]

access-list test20 permit ip 172.16.1.10 0.0.0.0 192.168.1.6 0.0.0.0

access-list test20 permit udp 172.16.1.10 0.0.0.0 192.168.1.6 0.0.0.0

[snip - repeated for rest of protocols]

No other hosts (192.168.x.y), whether on the LAN or another switch
feeding this one, should be able to reach 172.16.1.10 after the rules
are in place, nor should 172.16.1.10 be able to reach any other hosts
on the 192.168.x.y network other than those in the access-list.

Is that all that is needed, or do I need some kind of deny line, or
anything else?

Also, what flexibility do I have if I want to disable the rules for
some reason, then re-enable them, without having to re-enter them?

Thanks much in advance.

Scott