CONFIG VLAN WITH ACL

CONFIG VLAN WITH ACL
CONFIG VLAN WITH ACL
2020-09-21 11:29:47
Hardware Version: V2
Firmware Version: 2.0.5

My settings

 

Switch:
DLINK DGS1510-28 (PORT 1) ---- tagged ----> T1500G-8T 2.0 (PORT 8)

 

Net:
VLAN10 - 192.168.0.0 (PORT: 8)
VLAN50 - 192.168.50.0 (PORT: 1, 2)
VLAN80 - 192.168.80.0 (PORT: 3)

 

I want:
1.- Block traffic between the same VLAN50
2.- Block traffic between the same VLAN80
3.- Block traffic between VLAN50 / VLAN80 / VLAN10
4.- In VLAN50 / VLAN80 create exception in VLAN10 for the IP: 192.168.0.223

 

Configuration on T1500G-8T:

VLAN:


ACL:

ACL BINDING:

With these rules I have managed to block traffic between computers of the same VLAN50 and communication with other VLANs (10.80, etc ..). The problem is when creating the exception (Rule id 2 in the screenshot) to be able to access 192.168.0.223, when I add the rule, then I have access to ALL VLAN10, I can ping other computers of the same VLAN10.

 

How can I block access to an entire VLAN but allow an exception?


Thank you

 

0
0
#1
Options
11 Reply
Re:CONFIG VLAN WITH ACL
2020-09-23 07:31:13

@ATPackaging 

 

I want:

3.- Block traffic between VLAN50 / VLAN80 / VLAN10
4.- In VLAN50 / VLAN80 create exception in VLAN10 for the IP: 192.168.0.223

 

I have no idea how to Block traffic between the same VLAN. But for the other two demands, in my opinion, the configuration could be the following:

 

IP ACL rule:

 

1) permit: from ANY to 192.168.0.223

2) deny: from 192.168.50.0 to 192.168.80.0 (from 192.168.80.0 to 192.168.50.0)

3) deny: from 192.168.50.0 to 192.168.0.0 (from 192.168.80.0 to 192.168.0.0)

 

ACL Binding:

 

bind the above IP ACL rule to VLAN50 (VLAN 80)

 

I haven't tried this setup, but wish it could work. Good luck!

Good day to you no matter where you are.
0
0
#2
Options
Re:CONFIG VLAN WITH ACL
2020-09-23 08:49:06

@ATPackaging 

 

Thank you very much for answering!

 

The rules that I put in the previous message work, I can block the traffic between the same VLAN and the rest of VLAN´S.

The problem is when I add an exception (192.168.0.223), it stops blocking the entire range VLAN10 and gives access to the entire 192.168.0.0 network

 

Regards

0
0
#3
Options
Re:CONFIG VLAN WITH ACL
2020-09-25 17:11:27

@ATPackaging, what protocol did you specify for the ACL rule with ID #2 (if any)?

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#4
Options
Re:CONFIG VLAN WITH ACL
2020-09-28 08:39:20

@R1D2 

 

Do not specify any particular protocol for that rule:

 

 

Thanks!

0
0
#5
Options
Re:CONFIG VLAN WITH ACL
2020-09-28 14:52:08 - last edited 2020-09-28 14:52:52

@ATPackaging, in my opinion the issue is that the ACL is bound to ingress direction.

Therefrore, it applies to traffic directed into VLAN 50, not to traffic coming from VLAN 50.

 

Also, rule ID #3 is obsolete. It's a subset of rule ID #10.

 

I recommend to always turn on logging when setting up new rules. Albeit the switch adds a default DENY rule at the end of each ACL ruleset, you can add an explicit DENY rule and then see exactly which rule matches which traffic if something doesn't work as expected.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#6
Options
Re:CONFIG VLAN WITH ACL
2020-09-29 12:34:27

@R1D2 

I added rule 3 because by adding rule 2, I had access to the entire 192.168.0.0 network. I thought that maybe this way I could specifically block the network and add the exception 192.168.0.223

 

I have deleted everything and created these rules: (the problem persists, nothing has changed)

0
0
#7
Options
Re:CONFIG VLAN WITH ACL
2020-09-29 21:48:32

@ATPackaging, you need separate ACL rulesets for ingress/egress into/out of VLAN 50, not only different rules in the same ruleset.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#8
Options
Re:CONFIG VLAN WITH ACL
2020-09-30 07:28:11

@R1D2 Could you explain how to do it?

0
0
#9
Options
Re:CONFIG VLAN WITH ACL
2020-09-30 11:00:58

@ATPackaging

 

create an ACL with DST-IP 192.168.0.223 / Netmask 255.255.255.255, Permit, bind to VLAN 10.

create an ACL with SRC-IP 192.168.0.223 / Netmask 255.255.255.255, Permit, bind to VLANs 50 and 80.

 

You can also find several examples in the Configuration Guide here: https://www.tp-link.com/us/configuration-guides/configuring_acl/

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
1
1
#10
Options
Re:CONFIG VLAN WITH ACL
2020-10-09 00:23:48

ATPackaging wrote

@R1D2 Could you explain how to do it?

@ATPackaging Hello, I have a very similar problem, I need to deny all access between vlan's and then allow specific host to connect each other. For now I'm only able to deny all access between vlan's but once I do that I cant allow traffic between two host. Have you found a solution?

0
0
#11
Options