Blocking Router Access for all VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Blocking Router Access for all VLANs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Blocking Router Access for all VLANs
Blocking Router Access for all VLANs
2023-11-06 15:03:49 - last edited 2023-11-07 07:44:46
Model: OC200  
Hardware Version: V1
Firmware Version:

Hello,

 

Due to the fact, that it is not possible to change the management VLAN for the gateway (ER7206) I want to block the access to the Gateway via ACL.

I created a IP-Port-Group where I added all Gateway IPs (I have 7 VLANs, so I have to add 6 IPs (one is management))  and the Ports 80, 443 and 22.

 

Now I try to create an ACL where I select all VLANs (networks) on the left side and deny them to communicate to my IP-Port-Group on the right side.

 

But I got an  "ACL limit" error.

 

 

I could I archieve the blocking without reaching a config limitation?

 

It would be great if the router management VLAN could be selected and changed to a specific one.

 

BR
Sebastian

  0      
  0      
#1
Options
1 Accepted Solution
Re:Blocking Router Access for all VLANs-Solution
2023-11-07 07:14:46 - last edited 2023-11-07 07:44:46

  @SebastianH 

 

Hey, it's not difficult, just choose the Me/Gateway Management page, check this out.

Just striving to develop myself while helping others.
Recommended Solution
  0  
  0  
#5
Options
7 Reply
Re:Blocking Router Access for all VLANs
2023-11-06 18:23:34

  @SebastianH I'm not sure what other equipment you have.  I am also using a 7206 (but i also have a TL-SG2428P) and I used a switch ACL to block other VLANs from accessing the management VLAN.

 

I have it disabled right now though since I am still setting everything up (and migrating to a new controller).  I am not sure if I enable it if it will break my VPN access.  

 

Either way though, you should be able to use the switch ACL if your topology supports it.

  0  
  0  
#2
Options
Re:Blocking Router Access for all VLANs
2023-11-06 18:39:51

Hi  @muzicman0 

Thank you for your advice. I also have ACLs configured to block inter VLAN traffic. This is working fine.

But it's still possible to access the Router Login Page, due to the fact that its not possible to limit the management to one specific VLAN on the Router.

It's still possible to access the page from every VLAN by using the internal gateway IP of the interface VLAN.

  0  
  0  
#3
Options
Re:Blocking Router Access for all VLANs
2023-11-06 19:54:26

  @SebastianH I see.  I can hit the login page, but if I log in, access is denied (since I am using a Controller).  This is adequate for my needs, but i understand why it may not be in other cases.

  0  
  0  
#4
Options
Re:Blocking Router Access for all VLANs-Solution
2023-11-07 07:14:46 - last edited 2023-11-07 07:44:46

  @SebastianH 

 

Hey, it's not difficult, just choose the Me/Gateway Management page, check this out.

Just striving to develop myself while helping others.
Recommended Solution
  0  
  0  
#5
Options
Re:Blocking Router Access for all VLANs
2023-11-07 07:45:13
Perfect. Thank you. This is what I was looking for.
  1  
  1  
#6
Options
Re:Blocking Router Access for all VLANs
2023-11-07 07:50:29

  @SebastianH 

 

You're welcome~

Just striving to develop myself while helping others.
  0  
  0  
#7
Options
Re:Blocking Router Access for all VLANs
2023-11-08 09:32:31

Hi  @Virgo 
I was just trying to implement your suggested solution. 
But I don't have the possibility to choose a service type when I create a gateway ACL.
 

  0  
  0  
#8
Options