TL-SG3428X ACL No Effect
TL-SG3428X ACL No Effect
I configure the following ACL to allow only ARP and IPv4 traffic:
> Jetstream#show access-list > MAC access list 100 name: "Allow IP" > rule 10 permit logging enable type 0800 > rule 20 permit logging enable type 0806 > > Jetstream#show access-list bind > ACL ID ACL NAME Interface/VID Direction Type > ------ -------- ------------- -------- ---- > 100 Allow IP Gi1/0/23 Ingress Port
Yet IPv6 traffic flows freely through the specified port.
What must be configured so that the ACL works as intended?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I think you also need to add an IPv6 ACL rule?
For tp-link switch, it seems like IPv4 ACL and IPv6 ACL are individual.
- Copy Link
- Report Inappropriate Content
I have also tried that:
> Jetstream#show access-list > MAC access list 100 name: "Allow IP" > rule 10 permit logging enable type 0800 > rule 20 permit logging enable type 0806 > rule 30 deny logging enable type 86dd
If no rule matches, it should be default deny anyway.
- Copy Link
- Report Inappropriate Content
Dear @Marytech,
There is a new firmware released for TL-SG3428X recently, which has fixed an ACL-related issue. I'd suggest you update the switch firmware first and try again, the new firmware can be downloaded from the official website below.
https://www.tp-link.com/en/support/download/tl-sg3428x/#Firmware
Here is a related configuration guide for your reference: Configuring ACL
- Copy Link
- Report Inappropriate Content
@Fae Could the firmware be made available on the Canadian site? The most recent version there is TL-SG3428X(UN)_V1_20210409
https://www.tp-link.com/ca/support/download/tl-sg3428x/#Firmware
- Copy Link
- Report Inappropriate Content
Dear @Marytech,
Marytech wrote
@Fae Could the firmware be made available on the Canadian site? The most recent version there is TL-SG3428X(UN)_V1_20210409
Thank you for your valued feedback. The Canadian site will upload the firmware soon.
In fact, wired devices such as switches use universal firmware, with no difference between countries/regions.
So you can follow my previous reply or go to the TP-Link EN website to download the firmware for upgrading.
- Copy Link
- Report Inappropriate Content
@Fae Thank you I have applied the firmware update.
Jetstream#show system-info
(…)
Hardware Version - TL-SG3428X 1.0
Software Version - 1.0.7 Build 20220606 Rel.58990
SDM enterpriseMix template is enabled:
Jetstream#show sdm prefer used The current template is "enterpriseMix" template. The "enterpriseMix" template will take effect after reboot the switch. "enterpriseMix" template: number of IP ACL Rules : 0 number of MAC ACL Rules : 0 number of Combined ACL Rules : 80 number of IPV6 ACL Rules : 80 number of IPV4 Source Guard Entries : 52 number of IPV6 Source Guard Entries : 51 number of Packet Content ACL Rules : 0
An ACL is configured to allow only IPv4 and ARP:
Jetstream#show access-list Combined access list 1100 name: "Allow IPv4" rule 100 permit logging enable type 0800 rule 200 permit logging enable type 0806 Jetstream#show access-list bind ACL ID ACL NAME Interface/VID Direction Type ------ -------- ------------- -------- ---- 1100 Allow IPv4 Gi1/0/23 Ingress Port Jetstream#show access-list 1100 counter Combined ACL 1100, Name Allow IPv4 ACL Rule ID Total Matched Counter ----------- --------------------- 100 2636 200 0
Note that the counter for the ARP rule does not increase. IPv6 traffic is still seen entering the configured port.
According to the documentation:
"If no ACL rule is configured, the packets will be forwarded without being processed by the ACL. If there is configured ACL rules and no matching rule is found, the packets will be dropped.
This ACL should only permit IPv4 and ARP. Nevertheless, an explicit deny rule is tried:
Jetstream#show access-list Combined access list 1100 name: "Allow IPv4" rule 100 permit logging enable type 0800 rule 200 permit logging enable type 0806 rule 300 deny logging enable
Now the IPv6 traffic is blocked:
Jetstream#show access-list 1100 counter Combined ACL 1100, Name Allow IPv4 ACL Rule ID Total Matched Counter ----------- --------------------- 100 29617 200 0 300 2665
So the implicit default deny rule is ineffective, and the ARP traffic counter does not report the correct number.
Another ACL is configured:
Jetstream#show access-list Combined access list 1100 name: "Allow IPv4" rule 100 permit logging enable type 0800 rule 200 permit logging enable type 0806 Combined access list 1200 name: "Block IPv6" rule 100 deny logging enable type 86dd Combined access list 1490 name: "Block All" rule 9999 deny logging enable Jetstream#show access-list bind ACL ID ACL NAME Interface/VID Direction Type ------ -------- ------------- -------- ---- 1200 Block IPv6 Gi1/0/23 Ingress Port 1100 Allow IPv4 Gi1/0/23 Ingress Port 1490 Block All Gi1/0/23 Ingress Port Jetstream#show access-list 1200 counter Combined ACL 1200, Name Block IPv6 ACL Rule ID Total Matched Counter ----------- --------------------- 100 0 Jetstream#show access-list 1100 counter Combined ACL 1100, Name Allow IPv4 ACL Rule ID Total Matched Counter ----------- --------------------- 100 11940 200 0 Jetstream#show access-list 1490 counter Combined ACL 1490, Name Block All ACL Rule ID Total Matched Counter ----------- --------------------- 9999 1372
Now the IPv6 traffic is not counted by the IPv6 rule (1200) but it is counted by the block all rule (1490).
How can we have confidence that any ACL will work as specified?
- Copy Link
- Report Inappropriate Content
@Fae Here is another ACL that doesn't seem to work:
Jetstream(config)#show access-list Combined access list 1100 name: "test" rule 9999 deny logging enable Jetstream(config)#show access-list bind ACL ID ACL NAME Interface/VID Direction Type ------ -------- ------------- -------- ---- 1100 test 128 Ingress Vlan
I would expect this rule to block all traffic from entering the VLAN.
Jetstream(config)#show access-list 1100 counter Combined ACL 1100, Name test ACL Rule ID Total Matched Counter ----------- --------------------- 9999 424
IPv4 appears to be blocked, but ARP is still observed to pass through the VLAN.
Adding rules to block ARP and any broadcast or multicast traffic:
Jetstream(config)#show access-list Combined access list 1100 name: "test" rule 500 deny logging enable type 0806 rule 550 deny logging enable dmac 01:00:00:00:00:00 dmask 01:00:00:00:00:00 rule 9999 deny logging enable
ARP request should be blocked by rule 500 and 550, the reply should be blocked by rule 500 and 9999.
Jetstream(config)#show access-list 1100 counter Combined ACL 1100, Name test ACL Rule ID Total Matched Counter ----------- --------------------- 500 0 550 59 9999 11
Yet ARP still gets through.
- Copy Link
- Report Inappropriate Content
Dear @Marytech,
To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID220904849, please check your email box and ensure the support email is well received. Thanks!
- Copy Link
- Report Inappropriate Content
Dear Fae good day!
Is it a new version of the firmware (1.0.7 Build 20220606 Rel.58990) that has been removed for download, because it is no longer available for download as of today?
https://www.tp-link.com/en/support/download/tl-sg3428x/#Firmware
Thanks!
- Copy Link
- Report Inappropriate Content
Dear @zexoni70,
I'm afraid that the new firmware 1.0.7 has been temporarily removed from the official website due to recent firmware upgrade issues reported by some customers. TP-Link is looking into the issue with high priority, the new firmware will be released once the issue is resolved. Sorry for any trouble caused!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2048
Replies: 13
Voters 0
No one has voted for it yet.