I am a newbee and trying to have a simple way of permitting particular systems in the user network to access the server network. All server services are only accessible by the internet for users. However a few workstations need access to some servers (e.g. old stuff to be migrated to internet based access) In the logical view called routing2. I tried to use two rules rule-1 MAC ACL for the workstation; rule-2 Deny full network of the user network to the server network both in the "switch part of the ACL menu). I expected the first rule to be true and so take precedence.

As this did not work i Used the AEP ACL rules (not possible to add MAC based rule) by creating an IP-group of x.x.x.240/28 to have a few options and the have two like the above MAC based option. so rule-1 alow this created IP_group and rule-2 deny the user-network. This works perfectly, only I do not like the setup as i need to blok unused IP addresses in the /28 rage in DHCP.

It would be most practical to have a MAC group where I can add and delete on a client-name based option.

Could somebody be of help how to make the MAC based permit in a deny subnet possible, or any other option to manage access from the user to the server network. I include the logical security structure of our network.
The workstations are wireless and we are using private network for users. It seems ACL at switch level does not support mac addresses of wireless clients.

BTW I can not change the user network in a guest network to avoid the deny the user network as e.g. printers and other systems need to be accessible in the user network.

jandico