Business Community > All Threads > Switch ACL purpouse
< All Threads

Switch ACL purpouse

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Switch ACL purpouse

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Switch ACL purpouse
Switch ACL purpouse
2024-02-07 19:14:05

HI,

reading this article https://www.tp-link.com/en/support/faq/3091/, it says to use "Switch ACL" to block routing through vlans.

 

My stupid question is: why would I explicitly block switching between vlans using ACLs? Shouldn't communication between ports with different VLANs already be prevented by vlan nature itself? What i'm missing?

 

Thanks.

  0      
 
  0      
 
#1
Options
6 Reply
Re:Switch ACL purpouse
2024-02-08 01:09:17 - last edited 2024-02-08 02:19:24

Intervlan routing is allowed by default at switch side? Also at gateway side? 

If i need stateful acl, i need to use acl gateway? And if i use acl gateway i need to also block intervlan at also switch side?

 

Sorry but i'm confused and didn't found clear documentation about ACLs i omada controller.

  0  
  0  
#2
Options
Re:Switch ACL purpouse
2024-02-08 02:25:58

  @Antony23 

Antony23 wrote

Intervlan routing is allowed by default at switch side? Also at gateway side? 

If i need stateful acl, i need to use acl gateway? And if i use acl gateway i need to also block intervlan at also switch side?

 

Sorry but i'm confused and didn't found clear documentation about ACLs i omada controller.

Correct about your statements. If you have gw ACL, you don't need SW ACL unless you need something else to make it up when some types are not supported.

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#3
Options
Re:Switch ACL purpouse
2024-02-08 11:56:04 - last edited 2024-02-08 11:58:28

  @Tedd404 

Thanks for answer.

 

But what i woud like to know is if using gw acl the traffic is routing at gateway phisical port or at switch ports. 

That's because in router on a stick setup (switch woth vlans -> gateway) if it happens at gw port, the data link between switch and gateway will be shared amoung wan and intervlan traffic. So, if i should have huge data traffic beetwen vlans this will decrease wan bandwidth.

 

 

  0  
  0  
#4
Options
Re:Switch ACL purpouse
2024-02-10 21:08:48 - last edited 2024-02-10 21:31:22

Please, can someone explain me? 

 

If, as it seems, switch allow ip traffic to route between vlans by default, if i block intervlan routing at gateway side with gateway ACL (LAN-LAN direction), routing between vlans will continue to work at switch side? If not, why?

  0  
  0  
#6
Options
Re:Switch ACL purpouse
2024-02-11 11:45:57

  @Antony23

Antony23 wrote

Please, can someone explain me? 

 

If, as it seems, switch allow ip traffic to route between vlans by default, if i block intervlan routing at gateway side with gateway ACL (LAN-LAN direction), routing between vlans will continue to work at switch side? If not, why?

No. Because you block it from layer three like Clive said in the old posts.

Vlan interface was originated from gateway level and you don't have access if you block from layer three.

 

Don't see why you keep asking while you can test this out real quick.

 

My best suggestions for you is to learn about the OSI and get to know the basic knowledge of networking. Don't expect or count on others.

Or just ring the support instead of waiting here.

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#7
Options
Re:Switch ACL purpouse
2024-02-13 00:19:12

  @Tedd404 

Hi, 

maybe my bad english was not suffcient to explain me good. Stay quite, i know OSI and base of networking, i'm sw developer but not completely networking savvy.


I cannot test by myself, i'm new in omada, and before i going to buy equipments i would know if them can suite my needs.

 

What i wrongly understood, is that layer 2 switches in omada was able to do inter-vlan routing without the need of a layer 3 device, such as gateway. That's because of faq 3091 that use switch ACL instead of router/gw ACL firewall, and above all reading old reddit threads that let me misanderstanding the things.

Now i understand that LAN-LAN ACL on omada was introduced one year ago. And after let testing a friend omada equipments, i understood that L2 switch can't do inter-vlan routing without an L3 device, as it right to be.

 

Now that i understood how things are, i anyway would ask you:

 

1. Why, in the gw, we cannot specify ACL for different LAN gw ports? As i see in emulator, we can just apply ACLs to LAN-LAN or LAN-WAN, but them are apllied to all LAN ports of the gateway, i suppose.

 

2. Why, with LAN-LAN ACL on gw side, we cannot use ip groups? I cannot understand, anyway, if this is a limitation on controller mode or if it also works this way in standalone mode.

 

Thanks a lot.

  0  
  0  
#8
Options

Information

Helpful: 0

Views: 421

Replies: 6

Related Articles
EAP ACL vs. Switch ACL
2263 0
Struggling with ACL on switch
151 0
What is the difference between Switch ACL vs EAP ACL?
2731 0
Problems getting switch ACL rules to trigger
486 0
An alternative to Gateway Stateful ACL using Switch ACL
1456 5
ACL Switch and VLAN profile bugs ?
1651 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.