Help with VLAN and ACL
Hi,
First time setting up VLANs.
I have a VLAN (id: 20) for IOT devices that I don't want to be able to access devices on other VLANs.
But they should be able to access one single server on the default network (VLAN id: 1) which hosts Home Assistant.
Is it possible to do this via ACL rules?
Thank you.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks for posting in our business forum.
Do you have a switch in your network?
Do you use Omada Controller?
If you are using the Controller mode, you should use the Switch ACL as it supports IP Group ACL. If you are in standalone mode, use the ACL on the router and configure the IP Group in the Source and Destination.
If you don't have a switch but using the controller mode, the feature has been placed in the roadmap. ETA V5.16.X.
- Copy Link
- Report Inappropriate Content
@Clive_A Thank you for your answer. Yes, my switches are all Omada switches and I'm using the OC300 hardware controller.
So, if I understand correctly,
1. to prevent my IOT VLAN to access other VLANs, I should have a Switch ACL rule (source and destination "network") that denies access to other VLANs
2. ... and then I add another rule also as a Switch ACL rule like this:
Policy: permit
Source: type network, IOT VLAN
Destination: type IP group, and I set here my Home Assistant server IP with a /32 mask
Is it correct?
Also:
- How does precedence work here? What should be the first rule? 1. or 2. ?
- For these 2 rules, should the binding type be "Ports" or "VLAN"?
Thank you.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
StephaneDupont wrote
@Clive_A Thank you for your answer. Yes, my switches are all Omada switches and I'm using the OC300 hardware controller.
So, if I understand correctly,
1. to prevent my IOT VLAN to access other VLANs, I should have a Switch ACL rule (source and destination "network") that denies access to other VLANs
2. ... and then I add another rule also as a Switch ACL rule like this:
Policy: permit
Source: type network, IOT VLAN
Destination: type IP group, and I set here my Home Assistant server IP with a /32 mask
Is it correct?
Also:
- How does precedence work here? What should be the first rule? 1. or 2. ?
- For these 2 rules, should the binding type be "Ports" or "VLAN"?
Thank you.
With the SW ACL, you would have more versatile ACL config as you have the IP-Port. Currently, the GW ACL does not support LAN-LAN IP-Port. Scheduled to V5.15.X update.
If you want to have a single A to B, but the rest of A cannot reach B, you need to create the Deny and Allow rules.
Allow an A to B,
Block A to B.
You can use the label and tag to filter out the guide we have:
Try one is a collection of fan-made SW ACL guides:
https://community.tp-link.com/en/business/forum/3?labelIds=8738,8744&tagId=7194
Hope they can help you with the setup.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 90
Replies: 3
Voters 0
No one has voted for it yet.