× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

ACL rules

hacesoft
Tutor

ACL rules

Good evening,

 

i have 4 VLANs for the switches. I played with ACL rules and I was not successful. I always blocked my entire switch perfectly with the first rule.

Information I draw from :

- url: https://drive.google.com/file/d/0B4PuVEYxkQ5ocDhobmZrS1JmNmc/view

- https://drive.google.com/file/d/157I76Cj18C2t3QgM5fRSPNTZuxVvec11/view

 

I only want to define Internet access on VLAN30. from VLAN11 disable access to the switch and some specific addresses from VLAN20. VLAN20 Unblocked access to any VLAN. Internet is on VLAN10.

 

The IP address of VLAN10 is: 192.168.10.1

The IP address of VLAN11 is: 192.168.11.1

The IP address of VLAN20 is: 192.168.20.1

The IP address of VLAN30 is 192.168.30.1

 

Can you direct me how to write ACL rules ... somehow I get lost ...

 

 

Thank you for any information ...

Model: GS724Tv4|ProSafe 24 ports Gigabit Smart switch
Message 1 of 7

Accepted Solutions
kevin_hong
Apprentice

Re: ACL rules

Hi hacesoft,

 

Please following the configuration below:

 

2.VLAN 11 perimt access internet and special address camera _1 / camera_2 , Right ?

 

Configuration ip acl "VLAN11"

permit destination address 192.168.20.20  ---  permit specail address can access form vlan 11

deny destination subnet 192.168.20.0 0.0.0.255  --- deny 192.168.20.0/24 subnet

deny destination subnet 192.168.30.0 0.0.0.255  --- deny 192.168.30.0/24 subnet

permit any any  ---- permit access internet and other ip address

 

bind your vlan11 port inbound

 

3.VLAN 20 permit access all vlans and no permit access internet,

 

you just can delete 192.168.20.0(vlan 20) static-route on your Route

 

4.VLAN 30 only permit access internet 

deny destination subnet 192.168.20.0 0.0.0.255

deny destination subnet 192.168.30.0 0.0.0.255 

permit any any

bind your vlan30 port inbound

 

Notes:

Please see attachment examples about ip acl 

View solution in original post

Model: GS724Tv4|ProSafe 24 ports Gigabit Smart switch
Message 7 of 7

All Replies
kevin_hong
Apprentice

Re: ACL rules

Hi hacesoft,

 

Welcome to community,

 

Let's clarify your request one by one.

 

1. Management switch:  Only special ip address can login and management switch

--- you can set access control, then no other address is accessible

 

 2.Disable access to special address from VLAN 11 to VLAN 20, Right ?

--- i need more detail information about it. such as  deny vlan 11 ipadd 192.168.11.10 access vlan 20 192.168.20.20.

    Please provide more detailed requirements for acl

 

Thank you

Model: GS724Tv4|ProSafe 24 ports Gigabit Smart switch
Message 2 of 7
hacesoft
Tutor

Re: ACL rules

Good evening,

 

in the attachment I send a picture describing how I want to configure my home network.

Perhaps it is more visual than a verbal description ...

Message 3 of 7
kevin_hong
Apprentice

Re: ACL rules

Hi hacesoft,

 

Thank you for your feedback.

 

First,  Let's clarify your needs.

 

1.Only one pc can access and management your switch(You don't need a configured vlan 40)

--- you can set access-control on your switch

 

2.VLAN 11 perimt access internet and special address cancea_1 / cancea_2 , Right ?

 

3.VLAN 20 permit access all vlans and no permit access internet,

 

4.VLAN 30 only permit access internet 

 

Are these correct ? Did i miss anything?

Model: GS724Tv4|ProSafe 24 ports Gigabit Smart switch
Message 4 of 7
hacesoft
Tutor

Re: ACL rules

Good evening,

almost everything is right, but the stimulus difference is that I want the VLAN20 too.

Otherwise you understand it well from the drawing.

Message 5 of 7
hacesoft
Tutor

Re: ACL rules

1.Only one pc can access and management your switch(You don't need a configured vlan 40)

--- you can set access-control on your switch

 

OK

 

2.VLAN 11 perimt access internet and special address camera _1 / camera_2 , Right ?

 

YES

 

3.VLAN 20 permit access all vlans and no permit access internet,

 

YES + permit access internet

 

4.VLAN 30 only permit access internet 

 

YES

Message 6 of 7
kevin_hong
Apprentice

Re: ACL rules

Hi hacesoft,

 

Please following the configuration below:

 

2.VLAN 11 perimt access internet and special address camera _1 / camera_2 , Right ?

 

Configuration ip acl "VLAN11"

permit destination address 192.168.20.20  ---  permit specail address can access form vlan 11

deny destination subnet 192.168.20.0 0.0.0.255  --- deny 192.168.20.0/24 subnet

deny destination subnet 192.168.30.0 0.0.0.255  --- deny 192.168.30.0/24 subnet

permit any any  ---- permit access internet and other ip address

 

bind your vlan11 port inbound

 

3.VLAN 20 permit access all vlans and no permit access internet,

 

you just can delete 192.168.20.0(vlan 20) static-route on your Route

 

4.VLAN 30 only permit access internet 

deny destination subnet 192.168.20.0 0.0.0.255

deny destination subnet 192.168.30.0 0.0.0.255 

permit any any

bind your vlan30 port inbound

 

Notes:

Please see attachment examples about ip acl 

Model: GS724Tv4|ProSafe 24 ports Gigabit Smart switch
Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 2778 views
  • 0 kudos
  • 2 in conversation
Announcements