How to ACL permit an MAC address while there is a deny for the full network

How to ACL permit an MAC address while there is a deny for the full network
How to ACL permit an MAC address while there is a deny for the full network
2022-02-08 08:46:17 - last edited 2022-02-20 18:33:59
Model: AC500
Hardware Version: V1
Firmware Version: 5.0.30

I am a newbee and trying to have a simple way of permitting particular systems in the user network to access the server network. All server services are only accessible by the internet for users. However a few workstations need access to some servers (e.g. old stuff to be migrated to internet based access) In the logical view called routing2. I tried to use two rules rule-1 MAC ACL for the workstation; rule-2 Deny full network of the user network to the server network both in the "switch part of the ACL menu). I expected the first rule to be true and so take precedence.

As this did not work i Used the AEP ACL rules (not possible to add MAC based rule) by creating an IP-group of x.x.x.240/28 to have a few options and the have two like the above MAC based option. so rule-1 alow this created IP_group and rule-2 deny the user-network. This works perfectly, only I do not like the setup as i need to blok unused IP addresses in the /28 rage in DHCP.

It would be most practical to have a MAC group where I can add and delete on a client-name based option.

Could somebody be of help how to make the MAC based permit in a deny subnet possible, or any other option to manage access from the user to the server network. I include the logical security structure of our network.
The workstations are wireless and we are using private network for users. It seems ACL at switch level does not support mac addresses of wireless clients.

BTW I can not change the user network in a guest network to avoid the deny the user network as e.g. printers and other systems need to be accessible in the user network.

jandico

 

1
1
#1
Options
4 Reply
Re:How to ACL permit an MAC address while there is a deny for the full network
2022-02-23 13:05:49

  @jandico 

 

Are you talking about SDN controller 5.0.30?
Specifically software or hardware?

 

I see that it is possible to set ACLs based on MAC on the switch.

 

 

 

0
0
#2
Options
Re:How to ACL permit an MAC address while there is a deny for the full network
2022-02-23 16:58:03 - last edited 2022-02-23 19:12:00

Thanks for looking into my issue! configuration is Internet<=>ER7206<=>TL-SG2210P v3.20<=>EAP610(EU) v1.0 Where multiple pairs (switches and AP) are connected to the router. The OC200 is connected to one of the switches. All running latest firmware level.

Both options mentioned in my request are configured using the OC200 using the following menu steps:

Settings=>network security=> ACL.
My first try was using the tab "Switch ACL"
Top row: permit a MAC address to be routed to the server network using a Mac-group (settings=>profiles=>group=>Mac group)
second row: block user network to be routed to the server network (I would prefer this option but it did not do the job)

 

My second try was using the tab"EAP ACL"
top row: permit segment of user subnet routed to server netw using a IP group.
second row: block user network routing to server network. This is how it is implemented currently and working.
The applicable clients are all wireless connected via an EAP to the user network.

0
0
#3
Options
Re:How to ACL permit an MAC address while there is a deny for the full network
2022-02-24 08:21:46

  @jandico Switch ACL won't take effect because your workstation is connected to the wireless network. Other devices will be able to communicate with it, only go through the EAP chips. The data won't be sent to the switch. If you connect the workstation to the switch Ethernet it will be solved. 

 

0
0
#4
Options
Re:How to ACL permit an MAC address while there is a deny for the full network
2022-02-24 14:55:34
Thanks Somnus, clear for this case what I need to do. Due to your answer I understand filtering is done at the (entry) source. Understanding this what about: If in the current solution (with ACL at AEP level) I connect a workstation to a switch and with an IP address in range of the "ACL AEP" permit will this workstation be able to connect to the server network? Or should you create similar ACL rules at AEP and switch level as each work independently (per network device type) and not network based. I Hope you can make this ACL implementation/principle clear to me as it is vital to get the security correctly implemented.
0
0
#5
Options