Business Community > All Threads > Switch ACL's Not Working as Specified
< All Threads

Switch ACL's Not Working as Specified

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Switch ACL's Not Working as Specified

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Switch ACL's Not Working as Specified
Switch ACL's Not Working as Specified
2023-06-15 03:09:05 - last edited 2023-06-30 14:10:24
Model: SG2008P  
Hardware Version: V3
Firmware Version: 3.0.4 Build 20221130 Rel.42340

The ACL models seem to be buggy or is it me?  I'm trying to do something very simple: block Surveillance Vlan from accessing LAN but allow LAN to access Surveillance Vlan.  It blocks it both ways and only seems to work using the gateway acl.  I read this thread (https://community.tp-link.com/en/business/forum/topic/601350)  that states gateway acl is the only one that works but then I watched this video (https://youtube.com/clip/Ugkx29Vhg95uPxQvsgWeKEqOJk_huyKrOqMo) and he is using switched acl's to make this work.  

 

What am I missing here please?  Any help would be greatly appreciated.

 

RP

 

 

 

 

 

 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Switch ACL's Not Working as Specified-Solution
2023-06-30 14:10:15 - last edited 2023-06-30 14:10:24

  @rpaulpen Here's the feedback I received from support...

 

Thank you for contacting TP-Link support.

Sorry for my mistake. Having double-confirmed with the engineer, only the router can achieve the one-way ACL but the switch cannot.

As the community stated, a network connection is a two-way communication. If you block one way, then the opposite. For now, only the router supports the stateful ACL. Stateful ACL means the router can verify this connection was "started" from this network, then allow the “reply traffic" even if there is a "blocked" rule. But currently, the switch ACL is a strict ACL, with no "excess permit“ for the connection to start from a specified VLAN. 

For the ping command, it needs to make sure the two-way communication is good so that it can ping successfully. If you have blocked one-way, it is normal that the ping will fail.

We usually test the one-way ACL by capturing packets. If you block one way, you can capture the packet on one side. If you block two-way, no packet will be captured. That is why there is a Bi-directional button. Some customers hope there is no packet that can be captured. Please make sure the Controller is the new version. We are still checking the issue without a Bi-directional choice.

Our R&D team still evaluates the function of the switch. You can use the router to set the one-way ACL settings.
 
Many thanks for your understanding. Have a nice day!
Recommended Solution
  0  
  0  
#6
Options
5 Reply
Re:Switch ACL's Not Working as Specified
2023-06-16 03:54:33

  @rpaulpen 

 

Hi, can you see this option?

 

If your controller hasn't this option, upgrade the controller version or upgrade the switch version to the latest.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Switch ACL's Not Working as Specified
2023-06-16 10:20:19

  @Virgo thank you for your reply. Yes, the option is available only when creating the ACL but not during edit. It is not selected. 
 

RP

  0  
  0  
#3
Options
Re:Switch ACL's Not Working as Specified
2023-06-17 01:48:20

  @rpaulpen 

 

What do you bind that ACL to? If you check the Binding Type VLAN, it is not going to work the way you want for sure.

Kris K
  0  
  0  
#4
Options
Re:Switch ACL's Not Working as Specified
2023-06-17 03:09:25

  @KJK Thanks for your reply.

 

Binding is "Ports" and Ports is "All Ports"

 

Regards,

 

RP

  0  
  0  
#5
Options
Re:Switch ACL's Not Working as Specified-Solution
2023-06-30 14:10:15 - last edited 2023-06-30 14:10:24

  @rpaulpen Here's the feedback I received from support...

 

Thank you for contacting TP-Link support.

Sorry for my mistake. Having double-confirmed with the engineer, only the router can achieve the one-way ACL but the switch cannot.

As the community stated, a network connection is a two-way communication. If you block one way, then the opposite. For now, only the router supports the stateful ACL. Stateful ACL means the router can verify this connection was "started" from this network, then allow the “reply traffic" even if there is a "blocked" rule. But currently, the switch ACL is a strict ACL, with no "excess permit“ for the connection to start from a specified VLAN. 

For the ping command, it needs to make sure the two-way communication is good so that it can ping successfully. If you have blocked one-way, it is normal that the ping will fail.

We usually test the one-way ACL by capturing packets. If you block one way, you can capture the packet on one side. If you block two-way, no packet will be captured. That is why there is a Bi-directional button. Some customers hope there is no packet that can be captured. Please make sure the Controller is the new version. We are still checking the issue without a Bi-directional choice.

Our R&D team still evaluates the function of the switch. You can use the router to set the one-way ACL settings.
 
Many thanks for your understanding. Have a nice day!
Recommended Solution
  0  
  0  
#6
Options

Information

Helpful: 0

Views: 792

Replies: 5

Related Articles
Switch ACL's no longer working
753 0
Switch ACL's don't act as expected
2566 2
Inter vlan acl's
1068 0
ACL's what an I doing wrong
554 0
Replace Main Network Switch
371 0
Switch TL-SG2008P no statistic after upgrade fw
14488 1
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.