NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

spopuri's avatar
spopuri
Aspirant
May 08, 2020
Solved

ACL rules M4300

I would like to create extended ACL's to allow only DHCP and DNS from a subnet to a server.        
  • Retired_Member's avatar
    Retired_Member
    May 09, 2020

    spopuri 

     

    On Web GUI, when you create new rule for the IP ACL, only need input 4 fields as below, all other parameter just keep default config:

    Sequence Number: input any value is ok;

    Action: Permit

    Protocol Type: UDP

    Dst L4: input 53/67/68

     

     

    The ending deny everything rule is default behavior, no need config by manual.

     

    Then go to 'IP Binding Configuration' page, select the correct port that you want to apply this IP ACL rule.

     

Retired_Member's avatar
Retired_Member
May 08, 2020

Hi spopuri ,

 

Welcomet to Community!

 

Suggest you config IP ACL to meet your requirement.

As both DHCP and DNS is based on UDP protocol, so you can create one IP ACL with 3 rules(permit udp destination port 53/67/68). Then binding the IP ACL to the pyhsical port or VLAN.

For detailed ACL configuration, please refer to link (Software Administration Manual: Page 171)

 

Below is the example config:

 

ip access-list test
permit udp any any eq domain
permit udp any any eq 67
permit udp any any eq 68
exit


interface 1/0/1
ip access-group test in 1
exit

 

Hope it helps!

 

Regards,

Eric

spopuri's avatar
spopuri
Aspirant
May 08, 2020

Thanks, Eric, I would like to do this in the web interface. Is it possible to give me an example?

 

Should I mention the port number in the source and destination

  • LaurentMa's avatar
    LaurentMa
    NETGEAR Expert
    May 08, 2020
    Hi,

    The examples for both CLI and Web GUI are in the Software Administration Manual starting page 172 (ACL chapter). That's Eric indicated the link to it.

    https://www.netgear.com/support/product/m4300.aspx#docs

    Specifically, http://www.downloads.netgear.com/files/GDC/M4300/M4300_SWA_EN.pdf

    Unlike other manuals presenting all commands, the Software Administration Manual is a collection of real word examples with explained config.

    I hope it will help you, please let us know how it goes
    • spopuri's avatar
      spopuri
      Aspirant
      May 08, 2020

      Please see the attached screenshot. Let me know if that is right?

      • LaurentMa's avatar
        LaurentMa
        NETGEAR Expert
        May 08, 2020
        I think the source IP should be any and Destination IP should be any too. Only differentiation is on the three UDP ports Eric provided above. The ACL then would be ending with Deny everything at the end in your case. We bind the ACL to the ports in the ingress direction (traffic coming to the interface).

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More