× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973

Re: M4300 VLAN ACL




Im going to configure some VLANs on a M4300. Out Network will be designed as Spine-Leaf. While the M4300 is routing the VLANs, the S3300 models are for connecting the clients to the network.


Now I configured the following VLANs on all Switches - Inter VLAN Routing is working.


VLAN 10: Management

VLAN 20: Server


VLAN 30: Clients 1


VLAN 40: Clients 2


VLAN 50: Guest



I want to seperate the VLANs with ACL, so I have to configure them on our Layer 3 Switch. I created on the M4300 a IP ACL with some Extended ACLs. For testing I wanted to seperate the guest for connecting to other VLANs, but want to allow that the Management VLAN can connect to the guests. So I want to separate one direction. When setting the following ACL, traffic is seperated in both direction. How can I get it working in only one direction?

ACL has following settings:


IP ACL e. g. 110


IP Extended ACL:

Rule 1 Deny | Match Every False | Src | Dst

Rule 2 Deny | Match Every False | Src | Dst

Rule 3 Deny | Match Every False | Src | Dst

Rule 4 Deny | Match Every False | Src | Dst

Rule 5 Permit | Match Every True


I bound this ACL to VLAN 50:

VLAN ID 50 | Direction InBound | Sequence 1 | ACP Type IP ACL | ACL ID e. g. 110


Im unterstanding the rules that traffic from the defined source (VLAN50) will be blocked to the destination (all other VLANs). But in my case, the traffic is blocked in both ways.
This is the only ACL I created (to sepearate guests in ONE WAY).

Whats my failure? Can you give me some screenshots how I have to set the rules correctly?

Model: GSM4328PA|M4300-28G-PoE+ - 24x1G PoE+ Stackable Managed Switch with 2x10GBASE-T and 2xSFP+ (550W PSU)
Message 1 of 3
NETGEAR Employee Retired

Re: M4300 VLAN ACL

Hi @MasterPhil,


I inquired your concern to the higher tier of NETGEAR Support and got a feedback today.  As per the higher tier of NETGEAR Support, you can use extended ACL’s with TCP Flag.  As reference guide, kindly read pages 172-186 of the M4300 user manual here on how to configure it.  






NETGEAR Community Team

Message 2 of 3

Re: M4300 VLAN ACL

Thank you, But did Not work for us. Have the same problem like the guy in this case:


We do not want to bind to ports but to vlans. We have a dozen switches and vlans routed via a stack of M4300. So there are only vlan trunks to all edge switches.
Message 3 of 3
Discussion stats
  • 2 replies
  • 1 kudo
  • 2 in conversation