Implementing Auto VLAN Blocking (Current and Future VLANs) with Switch ACL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Implementing Auto VLAN Blocking (Current and Future VLANs) with Switch ACL

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Implementing Auto VLAN Blocking (Current and Future VLANs) with Switch ACL
Implementing Auto VLAN Blocking (Current and Future VLANs) with Switch ACL
2023-04-14 05:06:59 - last edited 2023-05-14 22:39:05

Hello all,

 

Update 05/14/23 - This has been updated multiple times. Each post in this topic is an additon to the configuration of previous post. So to see the latest update/addition, refer to my last post in this thread.

 

Original Post:

I'd like to share my old LAN Configuration that's switch-centric, I call it NeXTGen LAN. I had this config way back when I first encountered Omada ~3 years ago, I was running ER-605/SG-2210MP/EAP-115. One of my challenges back in the days, was that all VLANs can see each other by default. It's not much of an issue, except that, for the life of me, I can't figure out why my Gateway ER-605 can't do LAN ACLs In Omada Web Console. So long story short, because I spent a lot of time fiddling with ALL the options in Omada, I finally ended up putting all my ACLs on the Switches. I realized quickly that, when doing VLANs and ACLs in Omada, while the interface became familiar to me, blocking each and every new VLANs became somewhat of a chore.

 

Use Case:

Automatic blocking of InVLAN (same VLAN) and InterVLAN (across VLANs) traffic for current and future VLANs. The ACL config consists of two main ACLs (Lock and Key), and support ACL (Doorway). The "Key" ACL (Permit Admin VLAN) prevents lock out from the system, and allows Admin to create "Doorway" ACLs. "Doorway" ACLs are what defines a VLAN's identity. The "Lock" ACL (Deny ALL) stops everything else . This allows the Network Admin complete control of how traffic flows from one VLAN to another. You can watch my companion video here if you need more info.

 

ReadMe Stuff:

If you are new to Omada, I highly suggest you try the 1st and 2nd NewGen LAN before trying this out. There's also the 3rd and 4th revision (final) of NewGen that is very applicable to many types of home network. If you still would like to try this, please read the WARNING below (or hear me talk about it), and you can see ACL Configuration and Demo in Action starting in Part 3 of this video.

 

 

::WARNING::::WARNING::::WARNING::::

  • A slight mistake can result in full network lockdown, getting no access to Omada, and having to factory-reset all devices.

::WARNING::::WARNING::::WARNING::::

  • Key ACL must always be the FIRST ENABLED ACL
  • Doorway ACLs must always be in-between Key and Lock ACLs
  • Lock ACL must always be the LAST ACL. ENABLE only when Key ACL is the first ACL and Key ACL is verified to be Enabled.

::WARNING::::WARNING::::WARNING::::

 

Definition of Terms:

  • NeXTGen LAN = Next Generation LAN (Switch-centric + EAP ACL).
  • NewGen LAN = New Generation (Gateway ACL + Switch ACL + EAP ACL)
  • InVLAN = Network Traffic within the same VLAN (i.e. 192.168.0.10/24 and 192.168.0.20/24)
  • InterVLAN = Network Traffic across different VLANs (i.e. 192.168.0.100/24 and 192.168.100.100/24)
  • Current VLAN = existing
  • Future VLAN = yet-to-exist VLAN


VLAN Info:

Note that the ACLs listed below only applies to "Live" as I am still in the process of re-creating and re-validating the VLAN ACLs. As for the "Planned" ACLs, I have tested them in the NewGen Config and old firmware, but not with this configuration. I plan to amend/update as soon as I have tested them.

 

Live:

  • VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Granular Access to Home VLAN with VNC
  • VLAN 10-Home (192.168.10.x) - Access to Internet and Neighbors Only

 

Planned:

  • VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
  • VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet
  • VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
  • VLAN 50-Secluded (192.168.50.x)- Access to Internet only, no access to same-VLAN devices. Admin VLAN can reach Secluded clients. WiFi ONLY
  • VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS

 

  • Guests WiFi and Secluded WiFi, make sure the Guest Network check box for Wifi is checked

 

Device List:

  • ER-7206 v1 / v1.2.3

  • OC-300 v5.7.6 / v1.14.7

  • SG-2210MP v1 / v1.0.7

  • EAP-235 v1 / v3.1.0

 

::WARNING::::WARNING::::WARNING::::

  • A slight mistake can result in full network lockdown!

::WARNING::::WARNING::::WARNING::::

 

Switch ACLs:

  1. Permit Admin LAN (Key)
    Policy: Permit
    Protocols: All
    Source > Network > Admin
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
     
  2. Permit InVLAN Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > INetwork > Home
    Destination > Network > Home
     
  3. Permit Admin VNC (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.10.1/24, Ports: 5800, 5900)
    Destination > Network > Admin
     
  4. Deny InterVLAN (Lock)
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
     

NeXTGen LAN

 

  5      
  5      
#1
Options
4 Reply
Re:Implementing Auto VLAN Blocking (Current and Future VLANs) with Switch ACL
2023-04-21 19:31:49 - last edited 2023-05-05 12:33:21

  @Death_Metal 

Hello all,

 

This is a follow up/continuation for the NeXTGen LAN (Auto-Switch Blocking, refer to the Use-Case on the 1st post above as well as the warning). In this follow up, I moved on from Lock (Deny All) and Key (Pass-thru) ACLs and I focused more on emphasizing the "in-between ACLs" (I call them "Doorways" for the lack of a better term): how to set up neighbor traffic (InVLAN communication), how to set up VLAN to VLAN traffic (InterVLAN), and how to block Internet without Gateway ACL. I only implemented one way here, but there are several other ways to limit/block Internet traffic i.e. blocking access to Gateway IP. In the next revision, I plan to emphasize more on the pseudo one-way traffic (hint: I am already doing it with Admin to Home) and a couple of other niche use-cases for Doorway ACLs. The additional ACLs are ACL#4-ACL#6 that covers Guest and Camera VLANs.I have a new video that covers this if you would like to see the demo and how I tested it.

 

Live:

  • VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Granular Access to Home VLAN with VNC
  • VLAN 10-Home (192.168.10.x) - Access to Internet and Neighbors Only
  • VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
  • VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet

 

Planned:

  • VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
  • VLAN 50-Secluded (192.168.50.x)- Access to Internet only, no access to same-VLAN devices. Admin VLAN can reach Secluded clients. WiFi ONLY
  • VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS

 

  • Guests WiFi and Secluded WiFi, make sure the Guest Network check box for Wifi is checked

 

Device List:

  • ER-7206 v1 / v1.2.3

  • OC-300 v5.7.6 / v1.14.7

  • SG-2210MP v1 / v1.0.7

  • EAP-235 v1 / v3.1.0

 

::WARNING::::WARNING::::WARNING::::

  • A slight mistake can result in full network lockdown!

::WARNING::::WARNING::::WARNING::::

 

Switch ACLs:

  1. Permit Admin LAN (Key)
    Policy: Permit
    Protocols: All
    Source > Network > Admin
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
     
  2. Permit Admin VNC (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.10.1/24, Ports: 5800, 5900)
    Destination > Network > Admin
     
  3. Permit InVLAN Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Home
    Destination > Network > Home
     
  4. Permit InVLAN Guest (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Guest
    Destination > Network > Guest
     
  5. Deny Camera to Net (Doorway)
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > IP-Port Group > (Port: 53)
     
  6. Permit InVLAN Camera (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Camera
    Destination > Network > Camnera
     
  7. Deny InterVLAN (Lock)
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)

 

  0  
  0  
#2
Options
Re:Implementing Auto VLAN Blocking (Current and Future VLANs) with Switch ACL
2023-04-29 04:02:23 - last edited 2023-05-05 12:32:59

Hello all,

 

This is the 3rd follow up/continuation for the NeXTGen LAN (Auto-Switch Blocking, refer to the Use-Case on the 1st post above as well as the warning). In this follow up, I have shown how to do a pseudo-one-way configuration from one VLAN to another (not Stateful, but specific Port-Blocking) in Admin, Home and IoT. The additional ACLs are ACL#7-ACL#10 that covers IoT communication as well as VNC/SSH from Home to IoT (One-way) and IoT to Home (DNS). Note that I also updated ACL#2. For ACL# 10, a DNS server with IP address 192.168.10.75/32 is present in the Home VLAN.I have a new video that covers this if you would like to see the demo and how I tested it.

 

Live:

  • VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Granular Access to Home VLAN with VNC
  • VLAN 10-Home (192.168.10.x) - Access to Internet and Neighbors Only
  • VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
  • VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet
  • VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS

 

Planned:

  • VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
  • VLAN 50-Secluded (192.168.50.x)- Access to Internet only, no access to same-VLAN devices. Admin VLAN can reach Secluded clients. WiFi ONLY

 

  • Guests WiFi and Secluded WiFi, make sure the Guest Network check box for Wifi is checked

 

Device List:

  • ER-7206 v1 / v1.2.3

  • OC-300 v5.7.6 / v1.14.7

  • SG-2210MP v1 / v1.0.7

  • EAP-235 v1 / v3.1.0

 

::WARNING::::WARNING::::WARNING::::

  • A slight mistake can result in full network lockdown!

::WARNING::::WARNING::::WARNING::::

 

Switch ACLs:

  1. Permit Admin LAN (Key)
    Policy: Permit
    Protocols: All
    Source > Network > Admin
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
     
  2. Permit Admin VNC (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.10.1/24, Ports: 5800, 5900)
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Destination > Network > Admin
     
  3. Permit InVLAN Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Home
    Destination > Network > Home
     
  4. Permit InVLAN Guest (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Guest
    Destination > Network > Guest
     
  5. Deny Camera to Net (Doorway)
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > IP-Port Group > (Port: 53)
     
  6. Permit InVLAN Camera (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Camera
    Destination > Network > Camera
     
  7. Permit InVLAN IoT (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > Network > IoT
     
  8. Permit Home to IoT (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Home
    Destination > Network > IoT
     
  9. Permit IoT Ports to Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Source > IP Port Group > (Subnet 192.168.90.1/24, Port: 22)
    Destination > Network > Home
     
  10. Permit IoT DNS to Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > IP Port Group > (Subnet 192.168.10.75/32, Port: 53)
     
  11. Deny InterVLAN (Lock)
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
  2  
  2  
#3
Options
Re:Implementing Auto VLAN Blocking (Current and Future VLANs) with Switch ACL
2023-05-05 12:30:07 - last edited 2023-05-05 16:32:06

  @Death_Metal 

Hello all,

 

This is the 4th installment for the NeXTGen LAN (Auto-Switch Blocking, refer to the Use-Case on the 1st post above as well as the warning). In this follow up, I have shown how to implement a VLAN, where devices can access the Internet but can not "see/access" peer devices (Isolated VLAN). It is like a "Guest" network, except it is Wired. I have also shown a way on how to allow VLAN to gain access to Wireless Guest devices (Secluded VLAN). The additional ACLs are ACL#11-ACL#13 that covers Isolated communication to Internet and allowing WiFi Devices to connect to Access Point. Note that I also updated ACL#2 and have added an EAP ACL#1. I have a new video that covers this if you would like to see the demo and how I tested it.

 

With this final configuration, I have made this to function as closely as possible to the NewGen LAN Configuration. The toal ACLs# for NewGen is 11, and this one is 15 (18 if I separate ACLs that I grouped together like ACL#2 and ACL#9).

 

Live:

  • VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Granular Access to Home VLAN with VNC
  • VLAN 10-Home (192.168.10.x) - Access to Internet and Neighbors Only
  • VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
  • VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet
  • VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
  • VLAN 50-Secluded (192.168.50.x)- Access to Internet only, no access to same-VLAN devices. Admin VLAN can reach Secluded clients. WiFi ONLY
  • VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS

 

Guests WiFi and Secluded WiFi, make sure the Guest Network check box for Wifi is checked

 

Device List:

  • ER-7206 v1 / v1.2.3

  • OC-300 v5.7.6 / v1.14.7

  • SG-2210MP v1 / v1.0.7

  • EAP-235 v1 / v3.1.0

 

::WARNING::::WARNING::::WARNING::::

  • A slight mistake can result in full network lockdown!

::WARNING::::WARNING::::WARNING::::

 

Switch ACLs:

  1. Permit Admin LAN (Key)
    Policy: Permit
    Protocols: All
    Source > Network > Admin
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
     
  2. Permit Admin VNC (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.10.1/24, Ports: 5800, 5900)
    Source > IP Port Group > (Subnet 192.168.50.1/24, Ports: 5800, 5900)
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Destination > Network > Admin
     
  3. Permit InVLAN Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Home
    Destination > Network > Home
     
  4. Permit InVLAN Guest (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Guest
    Destination > Network > Guest
     
  5. Deny Camera to Net (Doorway)
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > IP-Port Group > (Port: 53)
     
  6. Permit InVLAN Camera (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Camera
    Destination > Network > Camera
     
  7. Permit InVLAN IoT (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > Network > IoT
     
  8. Permit Home to IoT (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Home
    Destination > Network > IoT
     
  9. Permit IoT Ports to Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Source > IP Port Group > (Subnet 192.168.90.1/24, Port: 22)
    Destination > Network > Home
     
  10. Permit IoT DNS to Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > IP Port Group > (Subnet 192.168.10.75/32, Port: 53)
     
  11. Permit Isolated to iNet (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Isolated
    Destination > IP Group > (Subnet 192.168.40.1/32)
     
  12. Permit Isolated to iNet Rev(Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Group > (Subnet 192.168.40.1/32)
    Destination > Network > Isolated
     
  13. Permit InVLAN Secluded (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Secluded
    Destination > Network > Secluded
     
  14. Deny InterVLAN (Lock)
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)

 

EAP ACL:

  1. Permit Secluded VNC to Admin (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Destination > Network > Admin
  0  
  0  
#4
Options
Re:Implementing Auto VLAN Blocking (Current and Future VLANs) with Switch ACL
2023-05-14 19:07:38 - last edited 2023-05-14 19:12:22

  @Death_Metal 

Hello all,

 

This is the 5th installment for the NeXTGen LAN (Auto-Switch Blocking, refer to the Use-Case on the 1st post above as well as the warning). In this follow up, I have shown how to implement InterVLAN communication, where devices can access devices crossing VLANs. It is like restoring the default TP Link InterVLAN communicatin.

 

In this revision, I have added 3 new VLANs to properly demonstrate the InterVLAN communication: VLAN 60, 70, and 80. I have also attached a new VLAN diagram to properly show these 3 VLAN addition.

 

Only one additional ACL is needed which is ACL#14 that covers InterVLAN communication. I have a new video that covers this if you would like to see the demo and how I tested it.

 

Live:

  • VLAN 1-Admin (192.168.1.x)- this is the Native/Default VLAN 1. Granular Access to Home VLAN with VNC
  • VLAN 10-Home (192.168.10.x) - Access to Internet and Neighbors Only
  • VLAN 20-Guest (192.168.20.x)- Access to Internet only, no access to same-VLAN devices. Wireless ONLY
  • VLAN 30-Cameras (192.168.30.x)- Access to same-VLAN devices only, no Internet
  • VLAN 40-Isolated (192.168.40.x)- Access to Internet only, no access to same-VLAN devices. Wired ONLY
  • VLAN 50-Secluded (192.168.50.x)- Access to Internet only, no access to same-VLAN devices. Admin VLAN can reach Secluded clients. WiFi ONLY
  • VLAN 90-IoT (192.168.90.x)- Access to same-VLAN devices with Internet, granular access to Home VLAN with DNS

 

InterVLAN Group:

  • VLAN 60-Night (192.168.60.x) - Full Access to Internet, Peers, Neighbors, and VLAN 70 and VLAN 80
  • VLAN 70-Day (192.168.70.x) - Full Access to Internet, Peers, Neighbors, and VLAN 60 and VLAN 80
  • VLAN 80-Cycle (192.168.80.x) - Full Access to Internet, Peers, Neighbors, and VLAN 60 and VLAN 70

 

Guests WiFi and Secluded WiFi, make sure the Guest Network check box for Wifi is checked

 

Device List:

  • ER-7206 v1 / v1.2.3

  • OC-300 v5.7.6 / v1.14.7

  • SG-2210MP v1 / v1.0.7

  • EAP-235 v1 / v3.1.0

 

::WARNING::::WARNING::::WARNING::::

  • A slight mistake can result in full network lockdown!

::WARNING::::WARNING::::WARNING::::

 

Switch ACLs:

  1. Permit Admin LAN (Key)
    Policy: Permit
    Protocols: All
    Source > Network > Admin
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
     
  2. Permit Admin VNC (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.10.1/24, Ports: 5800, 5900)
    Source > IP Port Group > (Subnet 192.168.50.1/24, Ports: 5800, 5900)
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Destination > Network > Admin
     
  3. Permit InVLAN Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Home
    Destination > Network > Home
     
  4. Permit InVLAN Guest (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Guest
    Destination > Network > Guest
     
  5. Deny Camera to Net (Doorway)
    Policy: Deny
    Protocols: All
    Source > Network > Camera
    Destination > IP-Port Group > (Port: 53)
     
  6. Permit InVLAN Camera (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Camera
    Destination > Network > Camera
     
  7. Permit InVLAN IoT (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > Network > IoT
     
  8. Permit Home to IoT (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Home
    Destination > Network > IoT
     
  9. Permit IoT Ports to Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Source > IP Port Group > (Subnet 192.168.90.1/24, Port: 22)
    Destination > Network > Home
     
  10. Permit IoT DNS to Home (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > IoT
    Destination > IP Port Group > (Subnet 192.168.10.75/32, Port: 53)
     
  11. Permit Isolated to iNet (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Isolated
    Destination > IP Group > (Subnet 192.168.40.1/32)
     
  12. Permit Isolated to iNet Rev(Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Group > (Subnet 192.168.40.1/32)
    Destination > Network > Isolated
     
  13. Permit InVLAN Secluded (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Secluded
    Destination > Network > Secluded
     
  14. Permit InterVLAN Night Day Cycle (Doorway)
    Policy: Permit
    Protocols: All
    Source > Network > Night
    Source > Network > Day
    Source > Network > Cycle
    Destination > Network > Night
    Destination > Network > Day
    Destination > Network > Cycle
     
  15. Deny InterVLAN (Lock)
    Policy: Deny
    Protocols: All
    Source > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)
    Destination > IP Group > (Subnet 192.168.0.1/16, 172.16.0.1/12, 10.0.0.1/8)

 

EAP ACL:

  1. Permit Secluded VNC to Admin (Doorway)
    Policy: Permit
    Protocols: All
    Source > IP Port Group > (Subnet 192.168.90.1/24, Ports: 5800, 5900)
    Destination > Network > Admin

 

  0  
  0  
#5
Options