Home

Forums

Stories

Knowledge Base

Business Community > Switches > Problems getting switch ACL rules to trigger

< Switches

Problems getting switch ACL rules to trigger

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Problems getting switch ACL rules to trigger

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

JTerk

2022-11-30 09:29:48 - last edited 2022-12-19 05:28:18

Posts: 3

Helpful: 0

Solutions: 1

Stories: 0

Registered: 2022-11-30

Problems getting switch ACL rules to trigger

2022-11-30 09:29:48 - last edited 2022-12-19 05:28:18

Tags: #Switch ACL

Model: SG2210P

Hardware Version: V3

Firmware Version: Build 20221019 Rel.46702

Hardware: ER605 v2.0
Firmware: 2.0.1 Build 20220223 Rel.68551

Hardware: TL-SG2210P v3.20
Firmware: 3.20.6 Build 20221019 Rel.46702

Hardware: OC200 2.0
Controller Version: 5.6.4
Firmware: 2.6.1 Build 20220921 Rel.35903

Single Lan: 192.168.30.0/24

What I want:

1. Allow IP addresses 192.168.30.1 to 192.168.30.15 to have internet access always
2. Allow all other IP addresses to have internet access only during a certain time of day.

Seems fairly straight forward:

a. Defined time schedule:
SCHEDULE1 Every Day 05:00 am - 10:00 pm

b. Defined IP group:
GROUP1: IP Subnet: 192.168.30.0/28

(This should match IP addresses 192.168.30.1 to 192.168.30.15)

c. Created switch ACL, in the order listed:

   1. Enabled, RULE1, Permit, All Protocols, Source: IP Group:GROUP1, Destination: IP Group:IPGroup_Any
   2. Enabled, RULE2, Permit, All Protocols, Source: IP Group:IPGroup_Any, Destination: IP Group:IPGroup_Any, Time Range: Enable, SCHEDULE1
   3. Enabled, RULE3, Deny, All Protocols, , Source: IP Group:IPGroup_Any, Destination: IP Group:IPGroup_Any

My idea was that RULE1 would match IP addresses 192.168.30.1 to 192.168.30.15 and therefor always permit them.

RULE2 is only active during SCHEDULE1 and will then permit any other traffic.

Outside of SCHEDULE1, RULE2 does nothing and RULE3 will block all other traffic.

But, I am clearly not thinking about this the right way.

With the ACLs in place, during the time window defined by SCHEDULE1, everything seems to work.

But outside of SCHEDULE1, all traffic is blocked. This leads me to the conclusion:

1. RULE1 does nothing
2. During SCHEDULE1, RULE2 allows all traffic
3. Outside of SCHEDULE1, RULE3 block all traffic.

Question, where am I going wrong and why does RULE1 not match the intended IP addresses?

(I've also tried listing all 15 addresses in IPGROUP1 (192.168.30.1/32 .... 192.168.30.15/32) but with the same result).

I have no VLANs other than the standard VLAN1

Any suggestions will be very much appreciated.

1 Accepted Solution

JTerk

LV1

2022-12-19 03:17:41 - last edited 2022-12-19 05:28:18

Posts: 3

Helpful: 0

Solutions: 1

Stories: 0

Registered: 2022-11-30

Re:Problems getting switch ACL rules to trigger-Solution

2022-12-19 03:17:41 - last edited 2022-12-19 05:28:18

@JTerk With great support from TP-Link, this issue is solve. All I needed was another rule after RULE1 that allows traffic from any address to the GROUP1, i.e. RULE1 should be bidirectional.

Recommended Solution

3 Reply

Virgo

LV5

2022-12-01 11:43:14

Posts: 2588

Helpful: 347

Solutions: 191

Stories: 0

Registered: 2021-05-10

Re:Problems getting switch ACL rules to trigger

2022-12-01 11:43:14

@JTerk

As far as I know, the current firmware version of this switch is not yet compatible with the new Time-Based ACL feature on the controller, and this feature should not work properly.

You should be able to use this function on the switch in standalone mode.

Just striving to develop myself while helping others.

JTerk

LV1

2022-12-02 00:39:33

Posts: 3

Helpful: 0

Solutions: 1

Stories: 0

Registered: 2022-11-30

Re:Problems getting switch ACL rules to trigger

2022-12-02 00:39:33

@Virgo I have the latest software install on the switch and the controller. The latest release include the time bases ACL functionality. As such, RULE2 and RULE3 work correctly,

permit during the SCHEDULE1 hours, deny outside of SCHEDULE1 hours.

My main question is why RULE1 does not trigger, as I think it should. RULE1 has no SCHEDULE.

Thanks

JTerk

LV1

2022-12-19 03:17:41 - last edited 2022-12-19 05:28:18

Posts: 3

Helpful: 0

Solutions: 1

Stories: 0

Registered: 2022-11-30

Re:Problems getting switch ACL rules to trigger-Solution

2022-12-19 03:17:41 - last edited 2022-12-19 05:28:18

@JTerk With great support from TP-Link, this issue is solve. All I needed was another rule after RULE1 that allows traffic from any address to the GROUP1, i.e. RULE1 should be bidirectional.

Problems getting switch ACL rules to trigger

Problems getting switch ACL rules to trigger

Information

Voters 0

Tags