Switch ACL's Not Working as Specified
The ACL models seem to be buggy or is it me? I'm trying to do something very simple: block Surveillance Vlan from accessing LAN but allow LAN to access Surveillance Vlan. It blocks it both ways and only seems to work using the gateway acl. I read this thread (https://community.tp-link.com/en/business/forum/topic/601350) that states gateway acl is the only one that works but then I watched this video (https://youtube.com/clip/Ugkx29Vhg95uPxQvsgWeKEqOJk_huyKrOqMo) and he is using switched acl's to make this work.
What am I missing here please? Any help would be greatly appreciated.
RP
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@rpaulpen Here's the feedback I received from support...
Sorry for my mistake. Having double-confirmed with the engineer, only the router can achieve the one-way ACL but the switch cannot.
As the community stated, a network connection is a two-way communication. If you block one way, then the opposite. For now, only the router supports the stateful ACL. Stateful ACL means the router can verify this connection was "started" from this network, then allow the “reply traffic" even if there is a "blocked" rule. But currently, the switch ACL is a strict ACL, with no "excess permit“ for the connection to start from a specified VLAN.
For the ping command, it needs to make sure the two-way communication is good so that it can ping successfully. If you have blocked one-way, it is normal that the ping will fail.
We usually test the one-way ACL by capturing packets. If you block one way, you can capture the packet on one side. If you block two-way, no packet will be captured. That is why there is a Bi-directional button. Some customers hope there is no packet that can be captured. Please make sure the Controller is the new version. We are still checking the issue without a Bi-directional choice.
Our R&D team still evaluates the function of the switch. You can use the router to set the one-way ACL settings.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Virgo thank you for your reply. Yes, the option is available only when creating the ACL but not during edit. It is not selected.
RP
- Copy Link
- Report Inappropriate Content
What do you bind that ACL to? If you check the Binding Type VLAN, it is not going to work the way you want for sure.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@rpaulpen Here's the feedback I received from support...
Sorry for my mistake. Having double-confirmed with the engineer, only the router can achieve the one-way ACL but the switch cannot.
As the community stated, a network connection is a two-way communication. If you block one way, then the opposite. For now, only the router supports the stateful ACL. Stateful ACL means the router can verify this connection was "started" from this network, then allow the “reply traffic" even if there is a "blocked" rule. But currently, the switch ACL is a strict ACL, with no "excess permit“ for the connection to start from a specified VLAN.
For the ping command, it needs to make sure the two-way communication is good so that it can ping successfully. If you have blocked one-way, it is normal that the ping will fail.
We usually test the one-way ACL by capturing packets. If you block one way, you can capture the packet on one side. If you block two-way, no packet will be captured. That is why there is a Bi-directional button. Some customers hope there is no packet that can be captured. Please make sure the Controller is the new version. We are still checking the issue without a Bi-directional choice.
Our R&D team still evaluates the function of the switch. You can use the router to set the one-way ACL settings.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 794
Replies: 5
Voters 0
No one has voted for it yet.