CONFIG VLAN WITH ACL
CONFIG VLAN WITH ACL
My settings
Switch:
DLINK DGS1510-28 (PORT 1) ---- tagged ----> T1500G-8T 2.0 (PORT 8)
Net:
VLAN10 - 192.168.0.0 (PORT: 8)
VLAN50 - 192.168.50.0 (PORT: 1, 2)
VLAN80 - 192.168.80.0 (PORT: 3)
I want:
1.- Block traffic between the same VLAN50
2.- Block traffic between the same VLAN80
3.- Block traffic between VLAN50 / VLAN80 / VLAN10
4.- In VLAN50 / VLAN80 create exception in VLAN10 for the IP: 192.168.0.223
Configuration on T1500G-8T:
VLAN:
ACL:
ACL BINDING:
With these rules I have managed to block traffic between computers of the same VLAN50 and communication with other VLANs (10.80, etc ..). The problem is when creating the exception (Rule id 2 in the screenshot) to be able to access 192.168.0.223, when I add the rule, then I have access to ALL VLAN10, I can ping other computers of the same VLAN10.
How can I block access to an entire VLAN but allow an exception?
Thank you
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I want:3.- Block traffic between VLAN50 / VLAN80 / VLAN10
4.- In VLAN50 / VLAN80 create exception in VLAN10 for the IP: 192.168.0.223
I have no idea how to Block traffic between the same VLAN. But for the other two demands, in my opinion, the configuration could be the following:
IP ACL rule:
1) permit: from ANY to 192.168.0.223
2) deny: from 192.168.50.0 to 192.168.80.0 (from 192.168.80.0 to 192.168.50.0)
3) deny: from 192.168.50.0 to 192.168.0.0 (from 192.168.80.0 to 192.168.0.0)
ACL Binding:
bind the above IP ACL rule to VLAN50 (VLAN 80)
I haven't tried this setup, but wish it could work. Good luck!
- Copy Link
- Report Inappropriate Content
Thank you very much for answering!
The rules that I put in the previous message work, I can block the traffic between the same VLAN and the rest of VLAN´S.
The problem is when I add an exception (192.168.0.223), it stops blocking the entire range VLAN10 and gives access to the entire 192.168.0.0 network
Regards
- Copy Link
- Report Inappropriate Content
@ATPackaging, what protocol did you specify for the ACL rule with ID #2 (if any)?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@ATPackaging, in my opinion the issue is that the ACL is bound to ingress direction.
Therefrore, it applies to traffic directed into VLAN 50, not to traffic coming from VLAN 50.
Also, rule ID #3 is obsolete. It's a subset of rule ID #10.
I recommend to always turn on logging when setting up new rules. Albeit the switch adds a default DENY rule at the end of each ACL ruleset, you can add an explicit DENY rule and then see exactly which rule matches which traffic if something doesn't work as expected.
- Copy Link
- Report Inappropriate Content
I added rule 3 because by adding rule 2, I had access to the entire 192.168.0.0 network. I thought that maybe this way I could specifically block the network and add the exception 192.168.0.223
I have deleted everything and created these rules: (the problem persists, nothing has changed)
- Copy Link
- Report Inappropriate Content
@ATPackaging, you need separate ACL rulesets for ingress/egress into/out of VLAN 50, not only different rules in the same ruleset.
- Copy Link
- Report Inappropriate Content
@R1D2 Could you explain how to do it?
- Copy Link
- Report Inappropriate Content
create an ACL with DST-IP 192.168.0.223 / Netmask 255.255.255.255, Permit, bind to VLAN 10.
create an ACL with SRC-IP 192.168.0.223 / Netmask 255.255.255.255, Permit, bind to VLANs 50 and 80.
You can also find several examples in the Configuration Guide here: https://www.tp-link.com/us/configuration-guides/configuring_acl/
- Copy Link
- Report Inappropriate Content
ATPackaging wrote
@R1D2 Could you explain how to do it?
@ATPackaging Hello, I have a very similar problem, I need to deny all access between vlan's and then allow specific host to connect each other. For now I'm only able to deny all access between vlan's but once I do that I cant allow traffic between two host. Have you found a solution?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3432
Replies: 11
Voters 0
No one has voted for it yet.