Only allow a specific device on a specific LAN port

@lukass2000 

From my knowledge, MAC binding could help on this kind of setup. Yet, I don't find anywhere you can set this on Controller mode. This could be a big improvement for Omada series. 

 

lukass2000 wrote

Hello,

I would like to start with the following Omada system:
1 TP-Link OC200
1 TP-Link TL-SG3428X
2 EAP225

 

Have now a questions:

Is it possible one port on the switch to restrict that ONLY the access point works on this port?
So if someone would take out the LAN cable from the access point and connect the cable e.g. to a laptop, it shouldn't not possible to connect to the network or Internet from this laptop. Only the specified AP should have connection.

Thanks :)

@lukass2000 

 

Go to Profiles / Groups and create a new MAC Group

Enter the MAC Adddress of your EAP

 

Now go to Network Security / Switch ACL and create a new Rule

 

Policy: Permit

Protocols: All

Source Type: MAC Group and select your new created MAC Group

Destination Type: IP Group and select IPGroup_Any

 

ACL Binding:

Binding Type: Ports

Ports: Custom Ports

 

Device List: Your Switch

Select the port on wich your EAP is connected

 

Create one more Rule on Switch ACL ( This must be the last rule )

Be carefull, this rule forbids evrything on the selected port

 

Policy: Deny

Protocols: All

Source Type: IP Group and select IPGroup_Any

Destination Type: IP Group and select IPGroup_Any

 

ACL Binding:

Binding Type: Ports

Ports: Custom Ports

 

Device List: Your Switch

Select the port on wich your EAP is connected

 

This works, but is not the best solution, because an attacker can easy change MAC Address.

Better Solution is, if the EAP and your Switch support Port Security, than you can enable it and set username and passwort for this port.