ACL between VLAN and Routed Port

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL between VLAN and Routed Port

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL between VLAN and Routed Port
ACL between VLAN and Routed Port
2021-08-16 09:07:10 - last edited 2022-10-28 02:28:41
Tags: #ACL
Model: TL-SG3428MP  
Hardware Version: V2
Firmware Version: 20210409

Hello all,

 

I have a TL-SG3428MP and I'm quite happy with my configuration so far.

Now I have a question regarding ACL.

I set up the hardware in my office just to test everything. See the infrastructure:

I'm able to access the Switch from my computer with the Interface IP-address I configured in the L3 Routed Port Interface.

 

To test ACL I created a new IP ACL and configured it:

I used this faq entry as an example:

https://www.tp-link.com/pl/support/faq/951/

So basically I want to bock all communication from the laptop 192.168.150.19 with rule 1 and 2. Mask is 255.255.255.255 und rule 1 and 2 to just block this IP-address.

All other communication should be allowed with rule 3. So if I change the IP of the laptop to 192.168.150.18, communication should be possible.

 

After creating the rule I created the ACL Binding:

I tried Port Binding and VLAN Binding. Direction Ingress is the only option.

So now if I ping from the laptop 192.168.150.19 to the hardware controller 192.168.150.10, the ping fails. If I unbind the ACL, ping is working. So the ACL is working properly, I guess.

Now if I ping from the laptop 192.168.150.19 to the interface IP 192.168.150.1, the ping is working. The same behavior if I ping the interface IP for the Routed Port or my computer. From my computer (company network) to laptop 192.168.150.19 it's working too (thought it will be blocked by rule 2 because of D-IP)

 

Is the ACL only working correctly in the 192.168.150.0 network / VLAN and doesn't work between VLAN and Routed Port or I'm missing something here?

 

Thanks for your help and best regards

 

Stefan

  0      
  0      
#1
Options
1 Accepted Solution
Re:ACL between VLAN and Routed Port-Solution
2021-08-26 01:20:57 - last edited 2022-09-01 02:36:48

Dear @StefanDevernon,

 

StefanDevernon wrote

you are correct, my computer is in a differernt VLAN and in another IP address range.

To block the whole communication is just a test I want to run to see if ACLs are working correctly.

As mentioned in the 192.168.150.0 network the ACL is working properly.

If the ACL is active pinging from the laptop to the hardware controller isn't possible.

But from the laptop to my computer or the other way around it is.

As configured in the rule the source and destination IP address 192.168.150.19 should be blocked.

My guess is that because my computer is in a different VLAN / IP range the ACL isn't active for these packages.

 

Thank you for your valued reply. I understand your point now.

 

Here I have a beta firmware which is to fix the ACL issue, I think it can fix the issue you are suffering from.

TL-SG3428_v2_2.0.3_Build 20210825(Beta)

 

Update on September 1, 2022:

 

The new firmware TL-SG3428(UN)_V2_2.0.7 Build 20220606 released recently has fixed the ACL-related issue.

 

If you find that Combined ACL failed to block traffic between Layer 3 networks, please check for a firmware update first.

 

Thank you for your attention!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#4
Options
3 Reply
Re:ACL between VLAN and Routed Port
2021-08-25 10:41:20

Dear @StefanDevernon,

 

The network diagram doesn't show other VLANs, but I assume that your computer is working in a different VLAN from the laptop, right?

 

Based on your setup example, do you want to block all communication from the laptop 192.168.150.19 including the Internet access?

 

BTW, here is the configuration guide for ACL for your reference, which contains the example for MAC ACL, IP ACL and Combined ACL.

Configuration Example for ACL

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:ACL between VLAN and Routed Port
2021-08-25 13:15:25

@Fae 

 

Hi Fae,

you are correct, my computer is in a differernt VLAN and in another IP address range.

To block the whole communication is just a test I want to run to see if ACLs are working correctly.

As mentioned in the 192.168.150.0 network the ACL is working properly.

If the ACL is active pinging from the laptop to the hardware controller isn't possible.

But from the laptop to my computer or the other way around it is.

 

As configured in the rule the source and destination IP address 192.168.150.19 should be blocked.

 

My guess is that because my computer is in a different VLAN / IP range the ACL isn't active for these packages.

 

Best regards

 

Stefan

  0  
  0  
#3
Options
Re:ACL between VLAN and Routed Port-Solution
2021-08-26 01:20:57 - last edited 2022-09-01 02:36:48

Dear @StefanDevernon,

 

StefanDevernon wrote

you are correct, my computer is in a differernt VLAN and in another IP address range.

To block the whole communication is just a test I want to run to see if ACLs are working correctly.

As mentioned in the 192.168.150.0 network the ACL is working properly.

If the ACL is active pinging from the laptop to the hardware controller isn't possible.

But from the laptop to my computer or the other way around it is.

As configured in the rule the source and destination IP address 192.168.150.19 should be blocked.

My guess is that because my computer is in a different VLAN / IP range the ACL isn't active for these packages.

 

Thank you for your valued reply. I understand your point now.

 

Here I have a beta firmware which is to fix the ACL issue, I think it can fix the issue you are suffering from.

TL-SG3428_v2_2.0.3_Build 20210825(Beta)

 

Update on September 1, 2022:

 

The new firmware TL-SG3428(UN)_V2_2.0.7 Build 20220606 released recently has fixed the ACL-related issue.

 

If you find that Combined ACL failed to block traffic between Layer 3 networks, please check for a firmware update first.

 

Thank you for your attention!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#4
Options