Need help with ACLs
I have an all Omada config.
3 x sg2008p
1 x er605
1 x eap610
I have 6 vlans
1 = admin
10 = office
20 = media
30 = servers
40 = IOT
50 = Wifi
I want to set up VLAN 40 as follows
VLAN 40 should not be able to reach VLANS 10,20,50
VLANS 10, 20, 50 should not be able to reach vlan 40
Unrestricted internet access
Should be able to reach VLAN 30 on specific ports (445, 137-139, Plex ports)
I assueme ACLs best for this?
Gateway or switch ACL?
Us IP Groups? IP-Port Groups? Network Groups?
Use Deny poicy to block?
Is there any good cookbook articles about this?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Dear @jwaltrip ,
My suggestion is switch ACL.
You will need three rules:
1. Protocols: All; Deny; Source network VLAN 40network; Destination network VLANS 10,20,50. Enable Bi-Directional.
This rule will also block VLAN 10,20,50 from VLAN40.
2. Permit; Source Network choose all; Destination choose IP Group_Any.
This rule will allow all other network actions including internet access
"Should be able to reach VLAN 30 on specific ports (445, 137-139, Plex ports)" There is no limitation between VLAN40 and VLAN30 and they can communicate via any ports.
If you want to Block other ports but only allow these ports, we CAN'T do it via Omada Controller. Because we cannot modify the Protocols on the ACL option, we can only choose the existing service type.
Regards
- Copy Link
- Report Inappropriate Content
Created 3 rules
With all enabled, a shortt ime later the Router disconencted.... what did I do wrong?
- Copy Link
- Report Inappropriate Content
Should I be using Switch ACLs?
- Copy Link
- Report Inappropriate Content
OK... I see my mistake...
I will try switch ACLS.
Just read elsewhere that gateway ACLS only affect WAN (?).
I am not a network expert, but not a newbi either... this is still confusing :)
thanks for the help. I will try this on the weekend (less likely to affect my wifes internet and TV)
- Copy Link
- Report Inappropriate Content
SO, should I choose VLAN or port for ACL binding?
If I choose VLAN, I need to specify a VLAN ID.... Should I choose ITO as the vlan there?
If I choose port, it wants me to select switch ports...
- Choose uplinks? or should I choose only the ports I am going to set to IOT?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1004
Replies: 6
Voters 0
No one has voted for it yet.