NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

jjmarcos's avatar
jjmarcos
Aspirant
Dec 15, 2021
Solved

Setting up IP ACLs

Hello Netgear community,

It's my first post here, whoever is reading this post, thank you and it's nice to e-meet you!

 

I need some help setting up IP ACLs in my switch, a XS716T running the official software 7.0.0.24.

I'm kind of following this article  but there are a few differences.

I realize this article wasn't written for my switch model, but I think it's close enough.

 

The main difference is that I only have two VLANs, the default VLAN (1) and another one (50). I intend to use the latter to have some services available to the outside world for testing purposes.

The goal is that equipment in VLAN 1 can reach VLAN 50, but not the other way around.

Also, since there will be published services, machines on VLAN 50 must be able to reach the Internet and be reachable through the Internet (ports will be redirected in the router).

 

Note: I'm not sure why the images are not showing up. Please find them here:

https://www.filehosting.org/file/details/973079/screenshots.zip

 

 

 

 

Below these lines you can find the current VLAN and routing configuration.

 

 

 

 

 

 

 

As it stands, equipment in both VLANs are able to reach each other as well as the Internet.

 

I've tried to apply ACLs, but I'm pretty sure the whole problem is that I don't really understand how ACLs work (sorry). So, I'm not able to find the right ones. I always ended up on a situation where both VLANs are isolated from each other.

 

Any assistance with be greatly appreciated. Also, if I have done something wrong on the routing side of things, please do let me know.

 

Thank you!

2 Replies

  • jjmarcos's avatar
    jjmarcos
    Aspirant
    Dec 16, 2021

    The images/screenshots are now appearing.

    Any insights about this will be greatly appreciated.

    Thanks!

    • jjmarcos's avatar
      jjmarcos
      Aspirant
      Dec 20, 2021

      It seems, I'm replying just to myself. But it is what it is :smileyindifferent:

       

      Anyway, found this article:

      https://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back

       

      My conclusion after doing some research is that my XS716T switch does not support what I intend to do. There is no way I can specify the type of the TCP flag. Hence, I cannot set that "established" one the article is mentioning.

       

      The closest approach I've got is that I was able to block ping / ICMP traffic from the VLAN 50 to the VLAN 1 and not the other way around. But the actual application traffic still flows. So, I can still open an SSH session from a machine on VLAN 50 to another one on VLAN 1, which was one of the things I wanted to avoid.

       

      Regards

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More