Recommended ACL configuration on Omada Switch for common scenarios
24168 Contents
Allow the access to specific resources only
Allow the access to the internal network only
Allow the access to the internet only
This article introduces how to manage the network by configuring ACL in controller mode.
- Omada Hardware/Software/Cloud-Based Controller V5.0 or above
VLAN (Virtual Local Area Network) technology divides a physical LAN into multiple logical LANs, i.e. the VLANs. Hosts in the same VLAN can communicate directly with each other, while those in different VLANs cannot, thereby enhancing the security of the LAN. When a LAN is divided into multiple VLANs, broadcast messages will be limited within the same VLAN, that is, each VLAN forms a broadcast domain, which effectively limits the scope of the broadcast domain. By using VLANs, different hosts can be assigned to different workgroups, and hosts in the same workgroup can be located in different physical locations, making network construction and maintenance more convenient and flexible.
Topology example: Host A&B belong to Network A (VLAN 10), Host D and the Server belong to Network B (VLAN 20). In this scenario, corresponding VLAN interfaces and address pools are typically created, so that clients connected to different networks can obtain IP addresses from different subnets. Let's assume the Server's IP address is 192.168.20.10.
The interface/port configurations in the example are as follows:
|
Switch |
Switch A |
Switch B |
Switch C |
||||
|
Port |
1 |
2 |
3 |
1 |
Others |
1 |
Others |
|
Egress Rule |
Tagged |
Tagged |
Tagged |
Tagged |
Untagged |
Tagged |
Untagged |
|
Native Network |
1 |
1 |
1 |
1 |
10 |
1 |
20 |
|
VLAN |
1,10,20 |
1,10 |
1,20 |
1,10 |
10 |
1,20 |
20 |
Allow the access to specific resources only
Network A and Network B are not allowed to communicate with each other, but Network A is allowed to access specific servers in Network B.
Step 1. Configure network ports and interfaces.
Go to Settings > Site Setting > Wired Networks > LAN and click Create New LAN to start creating the interfaces of VLAN 10 and VLAN 20.
Step 2. Create both interfaces by specifying their relevant parameters. After entering the subnet IP, click Update IP Range to update the IP address pool range of this subnet. Leave the other options as default, and click Apply to complete.
Step 3. Create a port profile for each switch and bind it to the corresponding port.
On the LAN configuration page in the previous step, click Profile > Create New Port Profile to create a port profile. When creating a VLAN interface, the controller will automatically create a profile for the corresponding network (Network A, Network B). You can then directly apply it to the access port of the corresponding switch.
Create a profile for the uplink port of Switch B/C with the following parameters:
Switch B:
Switch C:
Then bind each profile to the corresponding port: click Devices in the navigation bar, and then go to Switch A > Ports > ACTION to edit the ports profile of Switch A. Bind Port1 to the profile "All", and bind Port2 (connected to Switch B) and Port3 (connected to Switch C) to the uplink profiles of Switch B and C respectively.
Perform the same operation to bind the profiles of Switch B and C to their uplink port and access ports.
Switch B:
Switch C:
Step 4. Create an ACL to deny the mutual access between Network A and Network B.
Go to Site Settings > Network Security > ACL > Switch ACL and click Create New Rule.
The parameters of the Rule are as follows. Enable Bi-Directional in Advanced Settings to apply this ACL to all ports on Switch B and Switch C.
Step 5. Create an ACL to allow Network A to access a specific server in Network B.
Go to Site Settings > Profile > Groups > Create New Group, select IP Group for Type, and enter the server address for IP Subnet. To add multiple IPs to the Group, click Add Subnet.
Step 6. Create an ACL to allow VLAN 10 to access the Server IP Group, and apply this ACL to all ports of Switch B and C.
Note: When finished, all ACL entries are as follows. Because the ACLs take effect based on a top-down priority, we need to put the two A_to_B_Server_permit ACLs at the top of the list.
Before:
After:
Allow the access to the internal network only
You can restrict a specific VLAN (network)’s access to the internet, and only allow it to access the internal network.
After completing the network configuration based on the previous topology, assume that such a requirement should be met: devices connected to Network A cannot access the internet but can access other internal networks. Due to the default blacklist mechanism of TP-Link switch's ACL, it is necessary to create a Permit ACL from Network A to all other subnets, and then create an ACL that denies any access to Network A.
Step 1. Go to Site Settings > Network Security > ACL > Switch ACL > Create New Rule, and configure the parameters as follows to allow Network A to access all subnets:
Step 2. Apply this ACL to all ports on Switch B.
Create an ACL that denies all access to Network A, which can be realized through IPGroup_Any. Apply this ACL to all ports on Switch B too.
When complete, all ACL entries are as follows:
Allow the access to the internet only
You can allow a specific VLAN to access the internet, and restrict its access to the internal network (guest network requirement).
Complete the interface and port configurations based on the previous topology.
Step 1. Create an ACL to deny Network A's access to all other subnets. Refer to Scenario 2 and apply this ACL to all ports of Switch B.
Step 2. Create an ACL to allow access to Network A, which can also be realized through IPGroup_Any, and apply it to all ports of Switch B.
Follow the instructions above to perform the ACL configuration for common scenarios.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
Είναι χρήσιμο αυτό το FAQ;
Τα σχόλιά σας συμβάλλουν στη βελτίωση αυτού του ιστότοπου.
