Business Community > Controllers > Unable to Select More than 10 Networks in ACL
< Controllers

Unable to Select More than 10 Networks in ACL

Unable to Select More than 10 Networks in ACL

Unable to Select More than 10 Networks in ACL
Unable to Select More than 10 Networks in ACL
2024-07-01 07:36:54
Tags: #ACL #VLAN & Multi-Networks

When create a Switch ACL in the controller, I'm unable to select more than 10 networks.

 

I have 16 VLANs in total, and I'd like to create a set of rules to deny, for example VLAN1 access to 2-16, then above that, set an allow rule for specific VLANs/IP groups.

 

In the Gateway ACLs, I'm able to add more than 10 networks to a rule, but the LAN->LAN rules on the gateway will only allow networks and not IP groups. It also would appear that if such a rule is defined in the Gateway ACL, then an allow rule in the Switch ACL will not override. Presumably Gateway ACLs take priority over Switch ACLs.

 

 

Simply put, I'd like to create a rule at the bottom of the ACLs to deny any access between VLANs and define what can access as a higher priority rule.

  0      
 
  0      
 
#1
Options
3 Reply
Re:Unable to Select More than 10 Networks in ACL
2024-07-02 08:52:01

Hi  @mg4455 

 

It seems like a limitation of the controller. I will contact software engineers and ask if there is any better solution.

 

For current usage, I think you can put the networks(VLAN interfaces) into continuous subnets. And on Switch ACL, use an IP group to cover multu networks. 

 

For example:

VLAN1 10.0.0.1/24;

VLAN2 192.168.2.1/24;

VLAN3 192.168.3.1/24

 

Then on ACL rule, choose Deny, source choose VLAN 1, destination choose IP Group(192.168.0.1/18)

The trick is, 192.168.0.1/18 contains 192.168.2.1/24 and 192.168.3.1/24 and all that IPs in the 192.168.0.1/18.

 

However it's very hard to use this method, since you will need to calculate the IPs and subnet carefully. 

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Unable to Select More than 10 Networks in ACL
2024-07-02 15:41:45
Thanks for the reply. Yes, that's a workable solution, but as you point out - careful planning is required. I'd be a lot more satisfied too if it where possible to use more than Networks in LAN->LAN in the gateway rules too. As, because that's stateful, where the switches are not, it would allow a lot more flexibility.
  0  
  0  
#3
Options
Re:Unable to Select More than 10 Networks in ACL
2024-07-03 06:26:21

Hi  @mg4455 

 

Our engineers are aware of this limitation, but currently they also don't have a solution. 

 

They said you can also add an additional rule to fit the requirement.

For example rule 1 block VLAN 1 to VLAN 2-8; and rule 2 block VLAN1 to VLAN 9-16 etc..

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 298

Replies: 3

Tags

ACL VLAN & Multi-Networks
Related Articles
Unable to select VLAN network in ACL rules - Not listed
442 0
EAP ACL vs. Switch ACL
2605 0
Omada ACL configuration
1180 0
How to create many separate networks Omada
414 0
 [HELP] Multiple Network & VLAN with ACL - Unidirectional
345 0
Omada Captive Portal not showing if ACL are enabled
123 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.