ACL with Source IP and Port to Destination IP and Port between VLANs
Hi,
I am trying to limit the access to specific devices and ports from a specific vlan.
VLAN1 (all devices) ---- allow ----- > Port 80 on device A in VLAN2
So what I know from other Firewalls that I config the Policy by selecting:
- Source IP / Subnet
- Source Protocoll
- Source Port
- Destination IP / Subnet
- Destination Protocoll
- Destination Port
I tried to achive it in that way:
I created two IP-Port Groups
First IP-Port Group:
Ports 0-65535
Subnet 10.100.0.0/24
Second IP-Port Group:
Port 80
Subnet 10.200.0.1/32 (10.200.0.0/24 also tested)
and then an ACL by permitting TCP Protocoll from one IP-Port-Group to the other -> does not work.
A tcp network (vlan1) to network (vlan2) acl is working.
Do I misunterstood something?
Thank you
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @bsz
Thanks for posting in our business forum.
Since I don't have this switch model, I used a TL-SG2210MP to replicate this issue.
This switch is not capable of creating that many entries, so I tried a different way to emulate what you reported.
- Copy Link
- Report Inappropriate Content
Did you put the permit rule in the first rule and put the deny-all rule in the last?
How do you test "an ACL by permitting TCP Protocoll from one IP-Port-Group to the other -> does not work"?
Try rebooting the switch to force assign the settings to it.
- Copy Link
- Report Inappropriate Content
Yes, it is the first rule.
It seems that it has no hit. When I put the permit LAN-to-LAN rule behind it, it starts working.
How do I know it is not working?
I am loosing access to the website the device is hosting. With the LAN-to-LAN rule I have access.
If my logic behind the IP-Port-Group Rule is right, could it be a bug?
An LAN-to-IP-Port-Group rule is also not working.
- Copy Link
- Report Inappropriate Content
Did you also set a gateway acl or EAP acl?
What is your network layout like? What are the specific ACL settings on the controller? Can you share a screenshot?
- Copy Link
- Report Inappropriate Content
Overview
Switch ACL
EAP ACL
Switch and EAP ACL 1
IP-Port Group
10.20.25.0/24 is also not working
As soon as I enable ACL 2 (Network: LAN to WA-IoT) it starts working.
- Copy Link
- Report Inappropriate Content
Can someone see a mistake done by me or could it be related to a bug?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @bsz
Thanks for posting in our business forum.
Since I don't have this switch model, I used a TL-SG2210MP to replicate this issue.
This switch is not capable of creating that many entries, so I tried a different way to emulate what you reported.
- Copy Link
- Report Inappropriate Content
Many thanks for your testing.
Network to IP-Port Group
and
IP Group to IP-Port Group
seems to work for that example.
So it seems that IP-Port Group to IP-Port Group is not working which is not so tragic in that particular case but in general it should work.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 873
Replies: 9
Voters 0
No one has voted for it yet.