vmware private vlan in omada environment

vmware private vlan in omada environment

vmware private vlan in omada environment
vmware private vlan in omada environment
2024-11-11 06:19:40 - last edited 2024-11-15 06:10:52
Model: SG2008P  
Hardware Version:
Firmware Version:

i'd like some guidance regarding how best to implement this via omada.

we got er605, several sg2008p, and eap610s

 

our infra and app servers are running as VMs on VMware.

we were thinking of using private vlans to create isolated networks. not sure how promiscuous translates to omada though.

 

we have three specific isolation designs in mind:

1) clients on vlan A can only see the published app servers, no internet

2) clients on vlan B can only see the published app servers, with internet access

3) clients on vlan C cannot see each other but only have internet access - this looks like the guest functionality (guest ticked on the wifi network, we got this one running.)
 

finally, i was wondering if this will work when using PPSK using the built-in radius of the controller.

  0      
  0      
#1
Options
1 Accepted Solution
Re:vmware private vlan in omada environment-Solution
2024-11-12 01:27:59 - last edited 2024-11-15 06:10:52

Hi @snoop-snoop 

snoop-snoop wrote

i got these 4 ACLs configured on my switch acl:

1) permit source network wireless / destination ip group: server ip/24

2) permit source network wireless / destination group: wireless gateway

3) permit source wireless gateway / destination network wireless

4) deny source wireless / destination network "all other network"

 

 

is the ACL implementation bugged at the switch level?

If you configured all the VLAN interfaces on the router, you should configure the GW ACL.

 

The behavior you consulted is expected. If you are gonna set up the Wireless, use the Guest Network as it is the WIFI.

No need to configure the ACL. Even if it is ACL, go and configure the Network>Network ACL on GW.

 

Not really sure what you mean it is bugged at the switch level as they are not based on the switch and its ACL would have little effect on the GW.

 

You should spend more time on the ACL guides and discussion on the GW page where you'd find some previous discussions on VLAN design.

https://community.tp-link.com/en/business/forum/794?countryCodesStr=&searchFromDate=ALL_TIME&language=ENGLISH&sort=&status=&dir=desc&tagId=646&labelIds=8760&isMatchAll=true&keyword=

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#3
Options
2 Reply
Re:vmware private vlan in omada environment
2024-11-11 10:56:31 - last edited 2024-11-11 12:19:50

i got these 4 ACLs configured on my switch acl:

1) permit source network wireless / destination ip group: server ip/24

2) permit source network wireless / destination group: wireless gateway

3) permit source wireless gateway / destination network wireless

4) deny source wireless / destination network "all other network"

 

 

when i got ACL #1 enabled, ping from a wireless, the wireless client is able to ping other servers that are not part of the ip group. so it's allowing the entire subnet, not just the specific IP which. is this the expected behavior? isn't this supposed to just publish one IP instead? when i disable ACL #1,

 

 

it just occurred to me, should i manage ACL at the gateway level instead of the switch level?

i mean why would allowing a ip-port of one server allow the entire subnet and not just the server listed? that is an odd behavior for the ACL entry.

nevermind. LAN>LAN ACL only works Network to Network, no IP group to port.

is the ACL implementation bugged at the switch level?

  0  
  0  
#2
Options
Re:vmware private vlan in omada environment-Solution
2024-11-12 01:27:59 - last edited 2024-11-15 06:10:52

Hi @snoop-snoop 

snoop-snoop wrote

i got these 4 ACLs configured on my switch acl:

1) permit source network wireless / destination ip group: server ip/24

2) permit source network wireless / destination group: wireless gateway

3) permit source wireless gateway / destination network wireless

4) deny source wireless / destination network "all other network"

 

 

is the ACL implementation bugged at the switch level?

If you configured all the VLAN interfaces on the router, you should configure the GW ACL.

 

The behavior you consulted is expected. If you are gonna set up the Wireless, use the Guest Network as it is the WIFI.

No need to configure the ACL. Even if it is ACL, go and configure the Network>Network ACL on GW.

 

Not really sure what you mean it is bugged at the switch level as they are not based on the switch and its ACL would have little effect on the GW.

 

You should spend more time on the ACL guides and discussion on the GW page where you'd find some previous discussions on VLAN design.

https://community.tp-link.com/en/business/forum/794?countryCodesStr=&searchFromDate=ALL_TIME&language=ENGLISH&sort=&status=&dir=desc&tagId=646&labelIds=8760&isMatchAll=true&keyword=

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#3
Options