@GRL 

 

Because i want use only 1 subnet (because TEHNICAL problems and AUTOMATIONS paths that already in use in factory) and also, i want isolate stations. How to isolate stations, if they are in same subnet (L3)?

 

One is ACL between groups and another is ACL to isolete stations in one group.

 

So, i want isolate all stations that not share any resources and next create groups of servers/stations, that share any resources to add granular acces to them from isolated stations.

 

Idealy, if i can do MAC acls (L2) and also IP-port (L3). BUT, if i want setup L3 IP-PORT, i cant do that for example for KODAK or ESKO rips, because they use to many port groups, more than 8, that i cant setup in Omada IP-Port group. So must divide IP-PORT to 3, BUT i cant, because ACL for IP-port have also row limiti to 8/16....

  @GRL 

 

 

"routing" on same subnet is on switches. That is why i want use ACL as second solution and not VLANs (that was first solution i want use).

 

I use many (10 more) 10Gb SFP+ servers, so router cand handle that. Also, i see drop on same switch, when i use vlans configured on omada software controller on that same switch.

  @GRL 

 

Also, i wil re-iterate - vlans do not effect switch performance at all. they are designed for it  - so i tested on 3 PC, bese network setup and TP-link exact steb-by-step documentation. AND, i measured drop in traffic between swtiches and also small drop between ports on same switch. Maybe Omada controller implementation of VLANs cause drop. I dont tested on unmanaged switches.

 

 

My network for example: only one subnet 192.168.0.0/24, 60 clients, 20 servers, some IoTs, CAMs, DVRs. 

 

groups of clients pc base on deny rule to servers: 10-20

each group can have 1 to 60 rows of IP or IP-port or MAC

 

so example L2 (MAC base):

clientgroup1 - all clients without any shared services

group2 - some servers with only SMB share

group2 - some servers with SQL services

group3 - some servers with other services1

group4 - some servers with other services2

group5 - some servers with other services3

clientgroup2 - all denyed clients without any access to group2

clientgroup3 - all denyed clients without any access to group3

clientgroup4 - all denyed clients without any access to group4

clientgroup5 - all denyed clients without any access to group5

 

ACL MAC base to deny :

 

clientgroup1 deny access to clientgroup1 - cant setup, too many ACLs

clientgroup2 deny access to group2 - cant setup, too many ACLs

clientgroup3 deny access to group3 - cant setup, too many ACLs

clientgroup4 deny access to group4 - cant setup, too many ACLs

clientgroup5 deny access to group5 - cant setup, too many ACLs

 

example L2+L3

same as L2 but IP-PORT or IP base, with first L2 clientgroup1 deny access to clientgroup1

 

IP-port groupr

IPport1 - some SMB servers (IP x.x.x.x/32, port 445, 139) - cant do that for more than 8/8 rows, if i have 10 servers (must create 2 groups, but im limited witch ACL rows to max 8 pre type of group (8x group IPsubnets, 8x IP-port, 8xMAC)....

IPport2 - some SQL servers (IP x.x.x.x/32, port yyyy) - cant do that for more than 8/8 rows, if i have 10 servers (must create 2 groups, but im limited witch ACL rows to max 8 pre type of group (8x group IPsubnets, 8x IP-port, 8xMAC)....

IPport3 - some RDP servers (IP x.x.x.x/32, port 3389) - cant do that for more than 8/8 rows, if i have 10 servers (must create 2 groups, but im limited witch ACL rows to max 8 pre type of group (8x group IPsubnets, 8x IP-port, 8xMAC)....

IPport4 - some other services1 (IP x.x.x.x/32, port aaa.bbb-ccc,ddd,eee-fff,ggg,hhh-hhh,iii-iii,lll,mmm,nnn-ooo,......) - cant do that for more than 8/8 rows, if i have 10 servers and 16 port groups on that servers (cant create group with more than 8 port group)

IPport5 - some other services1 (IP x.x.x.x/32, port aaa.bbb-ccc,ddd,eee-fff,ggg,hhh-hhh,iii-iii,lll,mmm,nnn-ooo,......) - cant do that for more than 8/8 rows, if i have 10 servers and 16 port groups on that servers (cant create group with more than 8 port group)

IPport6 - some other services1 (IP x.x.x.x/32, port aaa.bbb-ccc,ddd,eee-fff,ggg)

clientIPgroup1 - some clienst that cant access IPport1 - so more than 16 IP clients, cant create

clientIPgroup2 - some clienst that cant access IPport2 - so more than 16 IP clients, cant create

clientIPgroup3 - some clienst that cant access IPport3 - so more than 16 IP clients, cant create

clientIPgroup4 - some clienst that cant access IPport4 - so more than 16 IP clients, cant create

clientIPgroup5 - some clienst that cant access IPport5 - so more than 16 IP clients, cant create

clientIPgroup6 - some clienst that cant access IPport6 - so more than 16 IP clients, cant create

 

next ACL

clientgroup1 deny access to clientgroup1

clientIPgroup1  deny access to IPport1

clientIPgroup2  deny access to IPport2

clientIPgroup3  deny access to IPport3

clientIPgroup4  deny access to IPport4

clientIPgroup5  deny access to IPport5

clientIPgroup6  deny access to IPport6

 

 

And must use x.x.x.x/32 in IP/IP-port groups (bese on devices in network). I only have ip range segmented for IP with and without internet. Other rules are on firewall base on IP adreses. Because some servers/clients/printers/iot/work devices need internet and some not.

 

M.

 

 

 

 

 

  @LAMAGuru 

 

 

yes I understand what you mean, 16 ip groups or 16 ip port groups are a problem, sometimes you have to use an ip group on just one ip, it is not always possible to fill all the groups with ip or ports. it is far too small if you are going to build a larger network. so this is a big limitation if you are going to build a secure network, there are simply not enough groups. 16 groups are in the worst case only 16 ip addresses. it is also not possible to use ip range which is also a big problem.

 

  @MR.S 

 

yes, that is limitation. An it is limitation if you have for example 1 x 24port switch, so also for SMALL, VERY SMALL networks. So THIS IS THE problem, 8/8 or 16. And also VLAN drop is limitation. Maybe on not managed switches this drop dont exist.

  @LAMAGuru 

 

I have been struggling with this ever since Omada was launched. I have a number of remote networks that I am trying to create ACLs for but had to give up, there are not enough IP groups. So why only 16 is strange. Even with a small home network there can be problems if you want to make it secure. Using CIRD is almost impossible, none of my remote networks have IPs in a row.

 

 

You can crete a request on Requests & Suggestions and I will vote on it.

 

 

 

  @MR.S 

 

I start communication with support over email. But, this not solve my problem. I think, that will end with "maybe in some next release.....". So i will see. For now, OMADA is useles for more than 8 port and 16 devices if you want sometning normal. Omada have big potencial, but for now is the problem.