Blocking Router Access for all VLANs
Hello,
Due to the fact, that it is not possible to change the management VLAN for the gateway (ER7206) I want to block the access to the Gateway via ACL.
I created a IP-Port-Group where I added all Gateway IPs (I have 7 VLANs, so I have to add 6 IPs (one is management)) and the Ports 80, 443 and 22.
Now I try to create an ACL where I select all VLANs (networks) on the left side and deny them to communicate to my IP-Port-Group on the right side.
But I got an "ACL limit" error.
I could I archieve the blocking without reaching a config limitation?
It would be great if the router management VLAN could be selected and changed to a specific one.
BR
Sebastian
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@SebastianH I'm not sure what other equipment you have. I am also using a 7206 (but i also have a TL-SG2428P) and I used a switch ACL to block other VLANs from accessing the management VLAN.
I have it disabled right now though since I am still setting everything up (and migrating to a new controller). I am not sure if I enable it if it will break my VPN access.
Either way though, you should be able to use the switch ACL if your topology supports it.
- Copy Link
- Report Inappropriate Content
Hi @muzicman0
Thank you for your advice. I also have ACLs configured to block inter VLAN traffic. This is working fine.
But it's still possible to access the Router Login Page, due to the fact that its not possible to limit the management to one specific VLAN on the Router.
It's still possible to access the page from every VLAN by using the internal gateway IP of the interface VLAN.
- Copy Link
- Report Inappropriate Content
@SebastianH I see. I can hit the login page, but if I log in, access is denied (since I am using a Controller). This is adequate for my needs, but i understand why it may not be in other cases.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @Virgo
I was just trying to implement your suggested solution.
But I don't have the possibility to choose a service type when I create a gateway ACL.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 923
Replies: 7
Voters 0
No one has voted for it yet.