Business Community > General Discussion > vlan isolation
< General Discussion

vlan isolation

vlan isolation

vlan isolation
vlan isolation
9 hours ago - last edited 4 hours ago

I'm struggling with gateway, switch and eap type of acl rules.

 

I'm trying to find a way of isolating 2 vlans from the rest.

Meaning only internet traffic is allowed for these 2 vlans.

 

For that I have created 2 ip-groups (see attached pictures).

One has the 2 subnets I'm trying to isolate ( labeled as !-unsecure-subnets): 192.168.180.0/24 and 192.168.190.0/24.

And the other has all other subnets (labeled as !-secure-subnets): 192.168.2x0.0/24. Where x equals 0-4; meaning the 3-th otctet is 200, 210, 220, 230 and 240.

 

unsecure ip-group

 

secure ip-group

 

See also attached picture: I then created a deny rule for the gateway-acl (i.e. lan->lan), switch-acl and eap-acl.

All three with the same content as seen in the screenshot from the eap-acl.

 

ACL-rule

 

As a result all traffic is blocked?!

What am I overlooking in this setup?

 

 

 

*** making it run like clockwork ***
  0      
 
  0      
 
#1
Options
3 Reply
Re:vlan isolation
2 hours ago - last edited 2 hours ago

  @ITV 

 

If you are using the latest firmware, then it is very easy to isolate your two VLANs.  In each VLAN configuration, (found under site, Network Config, LAN), expand the Advanced Settings where you will find an Isolate Network option.  Enabling this option will isolate the VLAN from all other VLANs and your IP Groups and ACLs are not needed.  Alternatively, on the LAN page there is a tab for Isolation Settings where you can select the VLAN and add it to the isolated VLAN list.

 

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop 1x EAP772-Outdoor
  0  
  0  
#2
Options
Re:vlan isolation
an hour ago

  @jra11500 - thank you for the detailed explanation.

 

Unfortunately that feature only works if the router is doing the vlan routing.

Which is not the case for me - for performance reasons I'm doing L3-switching.

Meaning a SG2218 is doing all the vlan-routing and the Omada router is only doing internet routing.

 

As a result, I have no other option then trying to make it work with an ACL.

 

*** making it run like clockwork ***
  0  
  0  
#3
Options
Re:vlan isolation
52 minutes ago

  @ITV 

 

That changes things!  A topology map would help in recommending a solution.  It would appear that you probably don't need any gateway or EAP ACLs, only switch ACLs and perhaps some static routes.

 

1x ER7406 1x OC300 4x SG2008 1x EAP610 3x EAP650-Desktop 1x EAP772-Outdoor
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 54

Replies: 3

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.