Business Community > Switches > ACL with Source IP and Port to Destination IP and Port between VLANs
< Switches

ACL with Source IP and Port to Destination IP and Port between VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ACL with Source IP and Port to Destination IP and Port between VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ACL with Source IP and Port to Destination IP and Port between VLANs
ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-19 13:18:27 - last edited 2023-10-31 09:20:27
Tags: #Switch ACL
Model: TL-SG3428MP  
Hardware Version: V4
Firmware Version: 4.0.8

Hi,

 

I am trying to limit the access to specific devices and ports from a specific vlan.

 

VLAN1 (all devices) ---- allow ----- > Port 80 on device A in VLAN2

 

So what I know from other Firewalls that I config the Policy by selecting:

  • Source IP / Subnet
  • Source Protocoll
  • Source Port
  • Destination IP / Subnet
  • Destination Protocoll
  • Destination Port

 

I tried to achive it in that way:

I created two IP-Port Groups

 

First IP-Port Group:

Ports 0-65535

Subnet 10.100.0.0/24

 

Second IP-Port Group:

Port 80

Subnet 10.200.0.1/32 (10.200.0.0/24 also tested)

 

and then an ACL by permitting TCP Protocoll from one IP-Port-Group to the other -> does not work.

A tcp network (vlan1) to network (vlan2) acl is working.

 

Do I misunterstood something?

 

Thank you

 

 

 

 

 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:ACL with Source IP and Port to Destination IP and Port between VLANs-Solution
2023-09-28 07:53:23 - last edited 2023-10-31 09:20:27

Hi @bsz 

Thanks for posting in our business forum.

Since I don't have this switch model, I used a TL-SG2210MP to replicate this issue.

This switch is not capable of creating that many entries, so I tried a different way to emulate what you reported.

 

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#9
Options
9 Reply
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-20 08:35:47

  @bsz 

 

Did you put the permit rule in the first rule and put the deny-all rule in the last?

How do you test "an ACL by permitting TCP Protocoll from one IP-Port-Group to the other -> does not work"?

Try rebooting the switch to force assign the settings to it.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-20 10:25:28

  @Virgo 

Yes, it is the first rule.

It seems that it has no hit. When I put the permit LAN-to-LAN rule behind it, it starts working.

 

How do I know it is not working?

I am loosing access to the website the device is hosting. With the LAN-to-LAN rule I have access.

 

If my logic behind the IP-Port-Group Rule is right, could it be a bug?

An LAN-to-IP-Port-Group rule is also not working.

  0  
  0  
#3
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-21 03:53:09

  @bsz 

 

Did you also set a gateway acl or EAP acl?

What is your network layout like? What are the specific ACL settings on the controller? Can you share a screenshot?

Just striving to develop myself while helping others.
  0  
  0  
#4
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-21 09:27:15

@Virgo 

 

Overview 

Overview

 

Switch ACL

Switch ACL

 

EAP ACL

EAP ACL

 

Switch and EAP ACL 1

Switch ACL1EAP ACL 1

 

IP-Port Group

IP-Port-Group Webserver

10.20.25.0/24 is also not working

 

IP-Port-Group-LAN

 

As soon as I enable ACL 2 (Network: LAN to WA-IoT) it starts working.

 

 

  0  
  0  
#5
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-27 04:49:43

Can someone see a mistake done by me or could it be related to a bug?

  0  
  0  
#6
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-28 02:27:31

  @bsz 

 

Have you tested only set the switch ACL? Do not set the EAP ACL.

Just striving to develop myself while helping others.
  0  
  0  
#7
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-28 05:33:53
yes, same result
  0  
  0  
#8
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs-Solution
2023-09-28 07:53:23 - last edited 2023-10-31 09:20:27

Hi @bsz 

Thanks for posting in our business forum.

Since I don't have this switch model, I used a TL-SG2210MP to replicate this issue.

This switch is not capable of creating that many entries, so I tried a different way to emulate what you reported.

 

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#9
Options
Re:ACL with Source IP and Port to Destination IP and Port between VLANs
2023-09-28 12:40:57

  @Clive_A 

Many thanks for your testing.

 

Network to IP-Port Group

and

IP Group to IP-Port Group 

 

seems to work for that example.

 

So it seems that IP-Port Group to IP-Port Group is not working which is not so tragic in that particular case but in general it should work.

 

 

 

  0  
  0  
#10
Options

Information

Helpful: 0

Views: 387

Replies: 9

Tags

Switch ACL
Related Articles
ACL between VLAN and Routed Port
1322 0
Firewall ACL Rules. How to choose a IP-Port Group along with IP group source and destination.
573 0
ACL on switch port to deny traffic to local subnet - except to router, and allow internet
2081 0
ACL between VLAN and Routed Port on TL-SG3428XMP 2.0
525 0
ER605 Reply from <IP>: Destination host unreachable
675 0
Reserve ip address and ip pool
58 0
About Us
Press
Copyright © TP-LINK CORPORATION PTE. LTD. All rights reserved.