TL-SG3428 V2 - ACLs are not working

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TL-SG3428 V2 - ACLs are not working

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TL-SG3428 V2 - ACLs are not working
TL-SG3428 V2 - ACLs are not working
2022-07-27 05:18:05 - last edited 2022-09-01 02:54:11
Model: TL-SG3428  
Hardware Version: V2
Firmware Version: 2.0.1 Build 20210131 Rev 44230

I have created two VLANS (in addition to the default VLAN 1):

 

VLAN2000: 192.168.20.0/24

VLAN4000: 192.168.2.0/24

 

I created an IP ACL with the following rules:

 

  • Deny, Source: 192.168.2.0, 255.255.255.0 for ANY protocol (no time range set)
  • Deny, Destination: 192.168.2.0, 255.255.255.0 for ANY protocol (no time range set)

 

I bind the IP ACL to VLAN4000.

 

I then try to ping from 192.168.2.100 to a machine 192.168.20.100.  I would expect the ping to FAIL, however, it is successful and would appear the ACL is not working.

 

Can anyone please suggest what I am possibly missing here?

  0      
  0      
#1
Options
1 Accepted Solution
Re:TL-SG3428 V2 - ACLs are not working-Solution
2022-09-01 02:34:44 - last edited 2022-09-01 02:34:49

Hi there,

 

The new firmware TL-SG3428(UN)_V2_2.0.7 Build 20220606 released recently has fixed the ACL-related issue.

 

If you find that Combined ACL failed to block traffic between Layer 3 networks, please check for a firmware update first.

 

Thank you for your attention!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#4
Options
3 Reply
Re:TL-SG3428 V2 - ACLs are not working
2022-07-27 08:31:20

  @Matthius Hi

 

How you connect your test machines?

 

Note that the switch ACL can only take effect if the packets send to this switch.

 

For example if you have two devices connected to the same EAP(access point), then their communication packets will only go through this EAP but not send to the switch/gateway. In that case the switch ACL can not block the packets.

 

But if your two devices are connected to different EAP, the packets need to go to EAP1 then go to the switch and finally go to EAP2, and this packet will be detected by the switch and switch ACL.

 

Another concern is if the packets are send to the router(gateway), the router will also do the routing and the switch cannot block it.

  0  
  0  
#2
Options
Re:TL-SG3428 V2 - ACLs are not working
2022-08-02 04:14:30 - last edited 2022-09-01 02:34:53

Dear @Matthius,

 

Matthius wrote

I then try to ping from 192.168.2.100 to a machine 192.168.20.100.  I would expect the ping to FAIL, however, it is successful and would appear the ACL is not working.

 

Please follow this post to get the Beta firmware to fix the issue.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options
Re:TL-SG3428 V2 - ACLs are not working-Solution
2022-09-01 02:34:44 - last edited 2022-09-01 02:34:49

Hi there,

 

The new firmware TL-SG3428(UN)_V2_2.0.7 Build 20220606 released recently has fixed the ACL-related issue.

 

If you find that Combined ACL failed to block traffic between Layer 3 networks, please check for a firmware update first.

 

Thank you for your attention!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#4
Options