Good practice to deny WAN access to a managed switch?

I configured my managed switch to have a static IP in my "trusted (lan)" VLAN. I'm thinking that there should be no reason for it to access to the WAN. Time sync can be configured to hit the router.

I'm thinking to just add a firewall rule denying it. Any downsides? Want to solicit opinions from the community.

That pretty much depends on the switch OS/ firmware running on the device in question (some of them are really… let's call it… strange), features with internet access coming to mind would be:

  • NTP (unless reconfigured to a local resource)
  • direct firmware updates from their servers
  • …did anyone mention cloud managed switches…?!

This one does want NTP access but that link I showed above shows how to use an OpenWRT router to server it. I don't see any option for update service nor cloud on this one. I'm just thinking on general principal, deny access to it.

I don’t see any meaning of having a firewall installed in the switch to begin with. Not a single switch in the whole wide world has that from factory anyway.

The router have the firewall and the switch only have unmanaged interfaces or more likely only L2 devices to switch the data without any interface at all.

You would need at least one managed interface for the system access on the switch.

This is pretty much the same setup as dumb AP have but a dumb AP need unmanaged interfaces to connect VLAN to wifi radios.

NTP will work through the managed interface for system access and make the call to the NTP servers from inside the firewall to the internet as any other data does.

Or simply...just don't add a gateway?