NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Function principle of VLAN ACLs M4100
Hello there, I´m Kim and quite new to networks. Currently I´m working on ACLs on a M4100-50g-POE+ switch for our company Network.
The Setup so far is:
Internet router is directly connectd to the switch (in a separate VLAN). The Switch interconnects several VLANs (for Printers, staff, Admin and guests). These are controlled via a set of ACLs (which VLAN can interconnect with which other VLAN eg. Printers can´t open a a TCP connection but are allowed to answer etc.).
I have configured these ACLs as a Whitelist and bound them to the ports by "IP Binding Configuration" and the setup works so far. Every ACL takes care of the Ports of exactly one VLAN (eg acl 105 deals with VLAN 50; acl 120 deals with VLAN 200 ... )
I then wanted to apply the ACLs to entire VLANs to ensure that I don´t have to reconfigure the ACL binding whenever a Port is moved into another VLAN (eg. setting up a new Printer in the Printer VLAN). Thus i used the "VLAN Binding Table" for this job.
Now I´m facing the problem that while the ACLs work as intended when bound to the Ports, they do not work the same way when bound to entire VLANs: They block too much traffic unless I put "permit any any" at the end, which basically ruins the idea of a whitelist.
I´m sorry, that I can´t be more specific on this one, but is there any general advice or a particular point that I have to keep in mind when binding ACLs to VLANs instead of single ports?
If you need any more specific infos I´ll try and create some sample VLANs an ACLs to "play with".
Thank you for your help in advance.
Cheers Kim
2 Replies
Hi John,
thanks for welcoming me.
Sorry, your answer wasn´t helping much. But I think I can point to the source of my problem much clearer now:
- Port-bound ACLs work as a filter for packages that "leave" the VLAN towards the switch (inbound rules from the switch perspective).
- VLAN-bound ACLs additionally seem to work as a filter for packages coming from the switch "entering" the VLAN (outbound from the switch perspective).
Is this, how it works? That would explain the behaviour that I encountered (an ACL that works fine when bound to a Port doesn´t work as intended when bound to a VLAN). The Reason for this being that said ACL does only have rules for traffic "leaving" the VLAN but not for traffic "entering" the VLAN.
Oversimplified Example:
x.x.10.1 in VLAN10 wants to reach x.x.20.1 in VLAN20 and wants an answer.
Port bound ACL for VLAN 10:
Permit x.x.10.1 0.0.0.0 x.x.20.1 0.0.0.0
Traffic leaving the VLAN10 is controlled (rule on the switch works inbound) and entering traffic to VLAN10 -like the answer of the device in VLAN20- is permitted anyway (outbound from the switch).
In a VLAN bound ACL I would have to add another line so that the answer of the device in VLAN20 is accepted and transferred to the recipient in VLAN10:
Permit x.x.10.1 0.0.0.0 x.x.20.1 0.0.0.0
Permit x.x.20.1 0.0.0.0 x.x.10.1 0.0.0.0
Both traffic from VLAN to switch and traffic from Switch to VLAN need to be explicitly permitted by the ACL otherwise the answer of 10.10.20.1 won´t go through.
Is this how VLAN bound ACLs work?
Best regards,
Kim
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
