vmware private vlan in omada environment
i'd like some guidance regarding how best to implement this via omada.
we got er605, several sg2008p, and eap610s
our infra and app servers are running as VMs on VMware.
we were thinking of using private vlans to create isolated networks. not sure how promiscuous translates to omada though.
we have three specific isolation designs in mind:
1) clients on vlan A can only see the published app servers, no internet
2) clients on vlan B can only see the published app servers, with internet access
3) clients on vlan C cannot see each other but only have internet access - this looks like the guest functionality (guest ticked on the wifi network, we got this one running.)
finally, i was wondering if this will work when using PPSK using the built-in radius of the controller.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @snoop-snoop
snoop-snoop wrote
i got these 4 ACLs configured on my switch acl:
1) permit source network wireless / destination ip group: server ip/24
2) permit source network wireless / destination group: wireless gateway
3) permit source wireless gateway / destination network wireless
4) deny source wireless / destination network "all other network"
is the ACL implementation bugged at the switch level?
If you configured all the VLAN interfaces on the router, you should configure the GW ACL.
The behavior you consulted is expected. If you are gonna set up the Wireless, use the Guest Network as it is the WIFI.
No need to configure the ACL. Even if it is ACL, go and configure the Network>Network ACL on GW.
Not really sure what you mean it is bugged at the switch level as they are not based on the switch and its ACL would have little effect on the GW.
You should spend more time on the ACL guides and discussion on the GW page where you'd find some previous discussions on VLAN design.
https://community.tp-link.com/en/business/forum/794?countryCodesStr=&searchFromDate=ALL_TIME&language=ENGLISH&sort=&status=&dir=desc&tagId=646&labelIds=8760&isMatchAll=true&keyword=
- Copy Link
- Report Inappropriate Content
i got these 4 ACLs configured on my switch acl:
1) permit source network wireless / destination ip group: server ip/24
2) permit source network wireless / destination group: wireless gateway
3) permit source wireless gateway / destination network wireless
4) deny source wireless / destination network "all other network"
when i got ACL #1 enabled, ping from a wireless, the wireless client is able to ping other servers that are not part of the ip group. so it's allowing the entire subnet, not just the specific IP which. is this the expected behavior? isn't this supposed to just publish one IP instead? when i disable ACL #1,
it just occurred to me, should i manage ACL at the gateway level instead of the switch level?
i mean why would allowing a ip-port of one server allow the entire subnet and not just the server listed? that is an odd behavior for the ACL entry.
nevermind. LAN>LAN ACL only works Network to Network, no IP group to port.
is the ACL implementation bugged at the switch level?
- Copy Link
- Report Inappropriate Content
Hi @snoop-snoop
snoop-snoop wrote
i got these 4 ACLs configured on my switch acl:
1) permit source network wireless / destination ip group: server ip/24
2) permit source network wireless / destination group: wireless gateway
3) permit source wireless gateway / destination network wireless
4) deny source wireless / destination network "all other network"
is the ACL implementation bugged at the switch level?
If you configured all the VLAN interfaces on the router, you should configure the GW ACL.
The behavior you consulted is expected. If you are gonna set up the Wireless, use the Guest Network as it is the WIFI.
No need to configure the ACL. Even if it is ACL, go and configure the Network>Network ACL on GW.
Not really sure what you mean it is bugged at the switch level as they are not based on the switch and its ACL would have little effect on the GW.
You should spend more time on the ACL guides and discussion on the GW page where you'd find some previous discussions on VLAN design.
https://community.tp-link.com/en/business/forum/794?countryCodesStr=&searchFromDate=ALL_TIME&language=ENGLISH&sort=&status=&dir=desc&tagId=646&labelIds=8760&isMatchAll=true&keyword=
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 71
Replies: 2
Voters 0
No one has voted for it yet.