@Tournas 

You can also try making an IP-Port-Group with just the port - if you dont add a subnet it applies to 0.0.0.0/0 (any IP) and use that as the source and destination IP_any in a switch ACL, i dont think EAP ACLs can actually block stuff on the broadcast subnet 255.255.255.255 - i have tried to do similar in the past to prevent clients on a particular SSID from getting DHCP on TCP/UDP 67-68, it just would not work at all, i had to use a hacky switch ACL to do it

  @GRL 

At the moment I am doing

source: the whole IoT network and

destination: the ip-port group with the udp ports only

for both the switch acl rule and the eap acl rule.

the switch rule seems to work, in the sense that I do not see this broadcast travelling in the rest of the network. The eap side does nothing, and I dont know how a switch rule could help further as the traffic remains in the AP side?

i will also try your suggestion

source: the ip ports group

destination; any

but this will presumably block udp 6667 on all my vlans?

  @GRL 
 

I tried it but still see the broadcasts

 

5 2.143322 192.168.20.6 255.255.255.255 UDP 218 49153 → 6667 Len=172

6 2.808258 192.168.20.5 255.255.255.255 UDP 218 49153 → 6667 Len=172

7 2.831090 192.168.20.10 255.255.255.255 UDP 218 49153 → 6667 Len=172

  @Vincent-TP 

There appears to be some problem uploading or pasting pictures currently.

I am using OC220 running 

Firmware Version

1.2.11 Build 20251128 Rel.52802

I have three EAP772s, two are connected on my core switch SG2210MP and one is connected on another switch SG2206MP which in turn is connected to the SG2210MP.

All the tuya ACs are connected to the IoT 2.4ghz dedicated wifi through the EAPs of course. I only capture packets using the built it network capture tool of the controller, selecting either EAP -> Wireless -> and the IoT ssid.

Regards

  @Vincent-TP 

Thanks, but its these packets that cause the 2.4ghz to be congested nonetheless, correct?

So no way to block those?