TL-SG3428X ACL No Effect

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

TL-SG3428X ACL No Effect

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TL-SG3428X ACL No Effect
TL-SG3428X ACL No Effect
2022-08-26 02:04:37
Tags: #ACL
Model: TL-SG3428X  
Hardware Version: V1
Firmware Version: 1.0.3 Build 20210409 Rel.52950

I configure the following ACL to allow only ARP and IPv4 traffic:

 

> Jetstream#show access-list 
> MAC access list 100 name: "Allow IP"
>     rule 10 permit logging enable type 0800
>     rule 20 permit logging enable type 0806
> 
> Jetstream#show access-list bind
> ACL ID    ACL NAME                          Interface/VID    Direction Type      
> ------    --------                          -------------    --------  ----      
> 100       Allow IP                          Gi1/0/23         Ingress   Port      

 

Yet IPv6 traffic flows freely through the specified port.

 

What must be configured so that the ACL works as intended?

  0      
  0      
#1
Options
13 Reply
Re:TL-SG3428X ACL No Effect
2022-08-29 13:05:09

  @Marytech 

I think you also need to add an IPv6 ACL rule?

For tp-link switch, it seems like IPv4 ACL and IPv6 ACL are individual.

 

  0  
  0  
#2
Options
Re:TL-SG3428X ACL No Effect
2022-09-01 00:41:07

  @Somnus 

 

I have also tried that:

 

> Jetstream#show access-list                                                     
> MAC access list 100 name: "Allow IP"
>     rule 10 permit logging enable type 0800
>     rule 20 permit logging enable type 0806
>     rule 30 deny logging enable type 86dd

 

If no rule matches, it should be default deny anyway.

  0  
  0  
#3
Options
Re:TL-SG3428X ACL No Effect
2022-09-01 02:29:57

Dear @Marytech,

 

There is a new firmware released for TL-SG3428X recently, which has fixed an ACL-related issue. I'd suggest you update the switch firmware first and try again, the new firmware can be downloaded from the official website below.

https://www.tp-link.com/en/support/download/tl-sg3428x/#Firmware

 

Here is a related configuration guide for your reference: Configuring ACL

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  1  
  1  
#4
Options
Re:TL-SG3428X ACL No Effect
2022-09-01 09:21:44

  @Fae Could the firmware be made available on the Canadian site? The most recent version there is TL-SG3428X(UN)_V1_20210409

https://www.tp-link.com/ca/support/download/tl-sg3428x/#Firmware

  0  
  0  
#5
Options
Re:TL-SG3428X ACL No Effect
2022-09-01 09:36:29

Dear @Marytech,

 

Marytech wrote

  @Fae Could the firmware be made available on the Canadian site? The most recent version there is TL-SG3428X(UN)_V1_20210409

 

Thank you for your valued feedback. The Canadian site will upload the firmware soon.

In fact, wired devices such as switches use universal firmware, with no difference between countries/regions.

So you can follow my previous reply or go to the TP-Link EN website to download the firmware for upgrading.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options
Re:TL-SG3428X ACL No Effect
2022-09-04 04:17:10

  @Fae Thank you I have applied the firmware update.

Jetstream#show system-info 
(…) 
 Hardware Version     - TL-SG3428X 1.0
 Software Version     - 1.0.7 Build 20220606 Rel.58990

 

SDM enterpriseMix template is enabled: 

 

Jetstream#show sdm prefer used
The current template is "enterpriseMix" template.
The "enterpriseMix" template will take effect after reboot the switch.
"enterpriseMix" template:
number of IP  ACL Rules             : 0
number of MAC ACL Rules             : 0
number of Combined ACL Rules        : 80
number of IPV6 ACL Rules            : 80
number of IPV4 Source Guard Entries : 52
number of IPV6 Source Guard Entries : 51
number of Packet Content ACL Rules  : 0

 

An ACL is configured to allow only IPv4 and ARP:

 

Jetstream#show access-list 
Combined access list 1100 name: "Allow IPv4"
    rule 100 permit logging enable type 0800
    rule 200 permit logging enable type 0806

Jetstream#show access-list bind
ACL ID    ACL NAME                          Interface/VID    Direction Type      
------    --------                          -------------    --------  ----      
1100      Allow IPv4                        Gi1/0/23         Ingress   Port      

Jetstream#show access-list 1100 counter                                        
Combined ACL 1100, Name Allow IPv4
ACL Rule ID    Total Matched Counter 
-----------    --------------------- 
100            2636                  
200            0

 

Note that the counter for the ARP rule does not increase. IPv6 traffic is still seen entering the configured port.

According to the documentation:


"If no ACL rule is configured, the packets will be forwarded without being processed by the ACL. If there is configured ACL rules and no matching rule is found, the packets will be dropped.

 

This ACL should only permit IPv4 and ARP. Nevertheless, an explicit deny rule is tried:

 

Jetstream#show access-list                                                     
Combined access list 1100 name: "Allow IPv4"
    rule 100 permit logging enable type 0800
    rule 200 permit logging enable type 0806
    rule 300 deny logging enable

 

Now the IPv6 traffic is blocked:

 

Jetstream#show access-list 1100 counter
Combined ACL 1100, Name Allow IPv4
ACL Rule ID    Total Matched Counter 
-----------    --------------------- 
100            29617                 
200            0                     
300            2665

 

So the implicit default deny rule is ineffective, and the ARP traffic counter does not report the correct number.

Another ACL is configured:

 

Jetstream#show access-list 
Combined access list 1100 name: "Allow IPv4"
    rule 100 permit logging enable type 0800
    rule 200 permit logging enable type 0806
Combined access list 1200 name: "Block IPv6"
    rule 100 deny logging enable type 86dd
Combined access list 1490 name: "Block All"
    rule 9999 deny logging enable

Jetstream#show access-list bind 
ACL ID    ACL NAME                          Interface/VID    Direction Type      
------    --------                          -------------    --------  ----      
1200      Block IPv6                        Gi1/0/23         Ingress   Port      
1100      Allow IPv4                        Gi1/0/23         Ingress   Port      
1490      Block All                         Gi1/0/23         Ingress   Port

Jetstream#show access-list 1200 counter 
Combined ACL 1200, Name Block IPv6
ACL Rule ID    Total Matched Counter 
-----------    --------------------- 
100            0

Jetstream#show access-list 1100 counter                                        
Combined ACL 1100, Name Allow IPv4
ACL Rule ID    Total Matched Counter 
-----------    --------------------- 
100            11940                 
200            0

Jetstream#show access-list 1490 counter                                        
Combined ACL 1490, Name Block All
ACL Rule ID    Total Matched Counter 
-----------    --------------------- 
9999           1372

Now the IPv6 traffic is not counted by the IPv6 rule (1200) but it is counted by the block all rule (1490).

How can we have confidence that any ACL will work as specified?
 

  0  
  0  
#7
Options
Re:TL-SG3428X ACL No Effect
2022-09-04 23:37:53

  @Fae Here is another ACL that doesn't seem to work:

 

Jetstream(config)#show access-list 
Combined access list 1100 name: "test"
    rule 9999 deny logging enable

Jetstream(config)#show access-list bind
ACL ID    ACL NAME                          Interface/VID    Direction Type      
------    --------                          -------------    --------  ----      
1100      test                              128              Ingress   Vlan

 

I would expect this rule to block all traffic from entering the VLAN.

 

Jetstream(config)#show access-list 1100 counter
Combined ACL 1100, Name test
ACL Rule ID    Total Matched Counter 
-----------    --------------------- 
9999           424

 

IPv4 appears to be blocked, but ARP is still observed to pass through the VLAN.

 

Adding rules to block ARP and any broadcast or multicast traffic:

 

Jetstream(config)#show access-list 
Combined access list 1100 name: "test"
    rule 500 deny logging enable type 0806
    rule 550 deny logging enable dmac 01:00:00:00:00:00 dmask 01:00:00:00:00:00
    rule 9999 deny logging enable

 

ARP request should be blocked by rule 500 and 550, the reply should be blocked by rule 500 and 9999.

 

Jetstream(config)#show access-list 1100 counter                                
Combined ACL 1100, Name test
ACL Rule ID    Total Matched Counter 
-----------    --------------------- 
500            0                     
550            59                    
9999           11

 

Yet ARP still gets through.

  0  
  0  
#8
Options
Re:TL-SG3428X ACL No Effect
2022-09-05 07:02:58

Dear @Marytech,

 

To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID220904849, please check your email box and ensure the support email is well received. Thanks!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#9
Options
Re:TL-SG3428X ACL No Effect
2022-09-06 20:47:05 - last edited 2022-09-08 16:23:39

@Fae

Dear Fae good day!
Is it a new version of the firmware (1.0.7 Build 20220606 Rel.58990) that has been removed for download, because it is no longer available for download as of today?

https://www.tp-link.com/en/support/download/tl-sg3428x/#Firmware

Thanks!

TRUST NO ONE, THE TRUTH IS OUT THERE!
  0  
  0  
#10
Options
Re:TL-SG3428X ACL No Effect
2022-09-09 01:15:42

Dear @zexoni70,

 

I'm afraid that the new firmware 1.0.7 has been temporarily removed from the official website due to recent firmware upgrade issues reported by some customers. TP-Link is looking into the issue with high priority, the new firmware will be released once the issue is resolved. Sorry for any trouble caused!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#11
Options