Reply
Highlighted
Aspirant

gs716t - Access control Rules - Deny all requests except...

Hi Guys,

 

I just got one gs716t  and I want only be able to access to the switch via HTTP/SSL from 192.168.0.238/255.255.255.0 and deny all other requests.

 

Capture.JPG

The question is, how do I deny all other requests?

 

Thanks,

Nicolas

Message 1 of 5
Highlighted
NETGEAR Moderator

Re: gs716t - Access control Rules - Deny all requests except...

Hi @nikouy,

 

Welcome to the community! Smiley Happy 

 

Let me share the article below and use it as your guide: 

 

Setting up VLANs & VLAN Routing with ACLs

 

 

Regards,

 

DaneA
NETGEAR Community Team

Message 2 of 5
Highlighted
NETGEAR Moderator

Re: gs716t - Access control Rules - Deny all requests except...

@nikouy,

 

I just want to follow-up on this.  Let us know if you have further questions.

 

 

Regards,

 

DaneA
NETGEAR Community Team

Message 3 of 5
Aspirant

Re: gs716t - Access control Rules - Deny all requests except...

Hi Danea,

 

I dont have a firewall but a Netgear 6400 router instead. Is there any other way to achieve this or use VLANs?

 

Thanks

Message 4 of 5
Highlighted
Prodigy

Re: gs716t - Access control Rules - Deny all requests except...

Hi @nikouy

 

You can do this with ACLs. However, if you are doing this for "security reasons" then you need VLANs as well. Reason being that ACLs are IP-based. But if we all in the same layer 2 network (VLAN) then I can just change the IP of my computer and bypass the ACL. This will not be possible if VLANs are also implemented as well.

 

A couple things about the ACL.
1. You need to use extended ACLs.
2. You don't need to allow specifically HTTP/SSL to the switch. Instead just allow the one PC (192.168.0.238, from what I can read) access and block every one else.
3. ACLs uses reversed subnet masks - called wildcard masks. This is REALLY important to remember.
4. You need a permit all rule in the end of the ACL table. Else, the ACL will stop ALL other traffic, like broadcast, multicast, etc. That would severely break your network!
5. You need to bind the ACL table to ports. These ACLs will be inbound, so make sure you bind the table on ports where the traffic you want to block flows into the switch.

 

- Create extended ACL:
Security > ACL > Advanced > IP ACL > type 100 in the "IP ACL ID" field and click Add. This will create an extended ACL table, with ID 100.

 

- Click on the new ACL and add these rules:
Rule 1: Permit 192.168.0.238 (mask 0.0.0.0) to 192.168.0.x (mask 0.0.0.0). Replace 192.168.0.x with the actual IP of the switch.
Rule 2: Deny 0.0.0.0 (mask 255.255.255.255) to 192.168.0.x (mask 0.0.0.0). Replace 192.168.0.x with the actual IP of the switch.
Rule 3: Permit every match=true.

 

- Bind the rule on the ports where the traffic you want to block, is coming inbound.
Security > ACL > Advanced > IP Binding Configuration


Cheers!

Former NETGEAR Employee.
Views and opinions are my own.
Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 1024 views
  • 0 kudos
  • 3 in conversation
Announcements