Business Community > Switches > ACL on switch port to deny traffic to local subnet - except to router, and allow internet
< Switches

ACL on switch port to deny traffic to local subnet - except to router, and allow internet

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL on switch port to deny traffic to local subnet - except to router, and allow internet

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL on switch port to deny traffic to local subnet - except to router, and allow internet
ACL on switch port to deny traffic to local subnet - except to router, and allow internet
2020-07-18 12:47:58 - last edited 2022-09-01 02:49:23
Tags: #Highlighted Thread #Switch ACL
Model: T1600G-28PS(TL-SG2424P)  
Hardware Version: V3
Firmware Version: 3.0.5 Build 20200110 Rel.50207(s)

Dear Community,

 

I'm looking for tips on how to construct an an ACL to apply on a specific port do the following:

- allow all traffic to the router (192.168.1.1)

- deny all traffic to/from the local subnet (192.168.1.0/24)

- allow all traffic to/from internet

 

Below is an illustration of the network topology.

In that example, the ACL would be on port 2, where PC 2 would be connected.

In that example, the PC2 would be able to communicate with the router and get traffic outside to the internet, but wouldn't be able to send/receive traffic from PC1

 

I wouldn't want to go with VLAN (subnets, interfaces and routing), and kind of hope this i achievable with ACL.

 

I tried setting the ACL (screenshot below), but I can't get it to work: my ACL attempt does a fine job at enabling traffic to the router while preventing traffic to the local subnet, but it also prevents any traffic to the internet... 

 

 

Network topology

 

 

 

Non-working ACL attempt:

 

 

Cheers

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:ACL on switch port to deny traffic to local subnet - except to router, and allow internet-Solution
2020-07-25 09:55:22 - last edited 2020-07-25 09:55:30

To close this thread

 

I have had email exchange with the support team.

 

During this exchange, I received confirmation that the ACL rule set presented in the original post was correct for the intended purpose:

1. S-I:0.0.0.0, D-IP:192.168.1.1, Action: Permit
2. S-I:0.0.0.0, D-IP:192.168.1.0, Action: Deny
3. S-P:0.0.0.0, D-IP:0.0.0.0, Action: Permit.

 

So I'm marking this as answered, and hopefully these can help someone in the future.

 

My issue lied with something else than the switch and ACL (probably cables malfunction).

 

 

During my correspondance with the support team, I learned that ACL have a default deny-all behavior.

 

Quote:

For TP-Link switches, the rule at the top of the ACL has the highest priority. (By default, these rules are sorted from smallest to largest, so the smaller the ID, the higher the priority.)
When the switch receives a packet, it will parse the packet and match it with the priority of the ACL Rules.
If the packet matches with one ACL rule, it will be processed according to the corresponding action. If not, it will match the next rule, until it matches the appropriate rule. If all rules don’t match with this packet, the switch will add a “Deny All” rule at the end of the ACL with the lowest priority.

 

Cheers

Recommended Solution
  1  
  1  
#4
Options
3 Reply
Re:ACL on switch port to deny traffic to local subnet - except to router, and allow internet
2020-07-21 10:03:11

@Eguun 

 

Why not try VLAN as 802.1Q VLAN is the port-based VLAN technology.?

  0  
  0  
#2
Options
Re:ACL on switch port to deny traffic to local subnet - except to router, and allow internet
2020-07-22 06:46:20

@Yannie thanks for the reply.

In my initial post, this is exactly what I called out as not willing to do: I don't want VLAN (define multiple switch interfaces, subnets, and level 3 routing).

I just want basic ACL.

 

I'm assuming making an ACL to only allow internet (and prevent local subnet access except router) should be pretty simple.

 

I hope the community can help bringing some experience on this one.

 

Cheers

  0  
  0  
#3
Options
Re:ACL on switch port to deny traffic to local subnet - except to router, and allow internet-Solution
2020-07-25 09:55:22 - last edited 2020-07-25 09:55:30

To close this thread

 

I have had email exchange with the support team.

 

During this exchange, I received confirmation that the ACL rule set presented in the original post was correct for the intended purpose:

1. S-I:0.0.0.0, D-IP:192.168.1.1, Action: Permit
2. S-I:0.0.0.0, D-IP:192.168.1.0, Action: Deny
3. S-P:0.0.0.0, D-IP:0.0.0.0, Action: Permit.

 

So I'm marking this as answered, and hopefully these can help someone in the future.

 

My issue lied with something else than the switch and ACL (probably cables malfunction).

 

 

During my correspondance with the support team, I learned that ACL have a default deny-all behavior.

 

Quote:

For TP-Link switches, the rule at the top of the ACL has the highest priority. (By default, these rules are sorted from smallest to largest, so the smaller the ID, the higher the priority.)
When the switch receives a packet, it will parse the packet and match it with the priority of the ACL Rules.
If the packet matches with one ACL rule, it will be processed according to the corresponding action. If not, it will match the next rule, until it matches the appropriate rule. If all rules don’t match with this packet, the switch will add a “Deny All” rule at the end of the ACL with the lowest priority.

 

Cheers

Recommended Solution
  1  
  1  
#4
Options

Information

Helpful: 0

Views: 2666

Replies: 3

Tags

Highlighted Thread Switch ACL
Related Articles
 T1600G-28PS Smart Switch ACL
3513 0
ACL between VLAN and Routed Port
1817 0
 Vlans- Deny All ACL on default Vlan1
358 0
 An alternative to Gateway Stateful ACL using Switch ACL
1808 5
ACL with Source IP and Port to Destination IP and Port between VLANs
814 0
Problems getting switch ACL rules to trigger
590 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.