× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

M4300 VLAN ACL

MasterPhil
Tutor

M4300 VLAN ACL

Hello,

Im going to configure some VLANs on a M4300. Out Network will be designed as Spine-Leaf. While the M4300 is routing the VLANs, the S3300 models are for connecting the clients to the network.

 

Now I configured the following VLANs on all Switches - Inter VLAN Routing is working.

 

VLAN 10: Management

Network: 172.16.10.0/24
VLAN 20: Server

Network: 172.16.20.0/24

VLAN 30: Clients 1

Network: 172.16.30.0/24

VLAN 40: Clients 2

Network: 172.16.40.0/24

VLAN 50: Guest

Network: 172.16.50.0/24

 

I want to seperate the VLANs with ACL, so I have to configure them on our Layer 3 Switch. I created on the M4300 a IP ACL with some Extended ACLs. For testing I wanted to seperate the guest for connecting to other VLANs, but want to allow that the Management VLAN can connect to the guests. So I want to separate one direction. When setting the following ACL, traffic is seperated in both direction. How can I get it working in only one direction?

ACL has following settings:

 

IP ACL e. g. 110

 

IP Extended ACL:

Rule 1 Deny | Match Every False | Src 172.16.50.0 0.0.0.255 | Dst 172.16.10.0 0.0.0.255

Rule 2 Deny | Match Every False | Src 172.16.50.0 0.0.0.255 | Dst 172.16.20.0 0.0.0.255

Rule 3 Deny | Match Every False | Src 172.16.50.0 0.0.0.255 | Dst 172.16.30.0 0.0.0.255

Rule 4 Deny | Match Every False | Src 172.16.50.0 0.0.0.255 | Dst 172.16.40.0 0.0.0.255

Rule 5 Permit | Match Every True

 

I bound this ACL to VLAN 50:

VLAN ID 50 | Direction InBound | Sequence 1 | ACP Type IP ACL | ACL ID e. g. 110

 

Im unterstanding the rules that traffic from the defined source (VLAN50) will be blocked to the destination (all other VLANs). But in my case, the traffic is blocked in both ways.
This is the only ACL I created (to sepearate guests in ONE WAY).

Whats my failure? Can you give me some screenshots how I have to set the rules correctly?

Model: GSM4328PA|M4300-28G-PoE+ - 24x1G PoE+ Stackable Managed Switch with 2x10GBASE-T and 2xSFP+ (550W PSU)
Message 1 of 3
DaneA
NETGEAR Employee Retired

Re: M4300 VLAN ACL

Hi @MasterPhil,

 

I inquired your concern to the higher tier of NETGEAR Support and got a feedback today.  As per the higher tier of NETGEAR Support, you can use extended ACL’s with TCP Flag.  As reference guide, kindly read pages 172-186 of the M4300 user manual here on how to configure it.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 3
MasterPhil
Tutor

Re: M4300 VLAN ACL

Thank you, But did Not work for us. Have the same problem like the guy in this case:

https://community.netgear.com/t5/Managed-Switches/M5300-oneway-VLAN-Routing/td-p/1673558

We do not want to bind to ports but to vlans. We have a dozen switches and vlans routed via a stack of M4300. So there are only vlan trunks to all edge switches.
Message 3 of 3
Discussion stats
  • 2 replies
  • 2653 views
  • 1 kudo
  • 2 in conversation
Announcements