This bugs me a bit so just seeking out to see what you folks do here, at lest you who work in security or have a security oriented homelab.
I do not generally allow any traffic between VLANs, all is isolated in the Switch, where different VLANs are in different routing instances (VRFs) and next-hop is my firewall. All traffic is L3.
Now when I'm testing new things and I need to login to a random web interface, at a random port I normally create an application on my firewall for that port, and add that port to a "baseline" I have for traffic from my office network to my different server networks. This works as indented and means I will never have any traffic I'm not aware of.
However this is also time consuming. So I'm thinking to allow all high ports (>1024) - for only one direction (office networks->server networks) but not sure this is a good idea either.
I'm also thinking to force (web admin X) to use 443. I could also use a web proxy that would allow high ports and use that while testing, but yea. all have their pro's and cons..
Or just allow anything from from trusted to untrusted.
The main concern is from untrusted to trusted that should always be denied.