- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
M4300 VLAN ACL
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
M4300 VLAN ACL
Hello,
Im going to configure some VLANs on a M4300. Out Network will be designed as Spine-Leaf. While the M4300 is routing the VLANs, the S3300 models are for connecting the clients to the network.
Now I configured the following VLANs on all Switches - Inter VLAN Routing is working.
VLAN 10: Management
Network: 172.16.10.0/24
VLAN 20: Server
Network: 172.16.20.0/24
VLAN 30: Clients 1
Network: 172.16.30.0/24
VLAN 40: Clients 2
Network: 172.16.40.0/24
VLAN 50: Guest
Network: 172.16.50.0/24
I want to seperate the VLANs with ACL, so I have to configure them on our Layer 3 Switch. I created on the M4300 a IP ACL with some Extended ACLs. For testing I wanted to seperate the guest for connecting to other VLANs, but want to allow that the Management VLAN can connect to the guests. So I want to separate one direction. When setting the following ACL, traffic is seperated in both direction. How can I get it working in only one direction?
ACL has following settings:
IP ACL e. g. 110
IP Extended ACL:
Rule 1 Deny | Match Every False | Src 172.16.50.0 0.0.0.255 | Dst 172.16.10.0 0.0.0.255
Rule 2 Deny | Match Every False | Src 172.16.50.0 0.0.0.255 | Dst 172.16.20.0 0.0.0.255
Rule 3 Deny | Match Every False | Src 172.16.50.0 0.0.0.255 | Dst 172.16.30.0 0.0.0.255
Rule 4 Deny | Match Every False | Src 172.16.50.0 0.0.0.255 | Dst 172.16.40.0 0.0.0.255
Rule 5 Permit | Match Every True
I bound this ACL to VLAN 50:
VLAN ID 50 | Direction InBound | Sequence 1 | ACP Type IP ACL | ACL ID e. g. 110
Im unterstanding the rules that traffic from the defined source (VLAN50) will be blocked to the destination (all other VLANs). But in my case, the traffic is blocked in both ways.
This is the only ACL I created (to sepearate guests in ONE WAY).
Whats my failure? Can you give me some screenshots how I have to set the rules correctly?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M4300 VLAN ACL
Hi @MasterPhil,
I inquired your concern to the higher tier of NETGEAR Support and got a feedback today. As per the higher tier of NETGEAR Support, you can use extended ACL’s with TCP Flag. As reference guide, kindly read pages 172-186 of the M4300 user manual here on how to configure it.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: M4300 VLAN ACL
https://community.netgear.com/t5/Managed-Switches/M5300-oneway-VLAN-Routing/td-p/1673558
We do not want to bind to ports but to vlans. We have a dozen switches and vlans routed via a stack of M4300. So there are only vlan trunks to all edge switches.