How to use ACL to isolate the clients in the same VLAN but connect to different switches?
Options
Zyxel_Melen
Posts: 1,673 
Zyxel Employee
Zyxel Employee
Scenario:
A user might have many switches in one site and want to isolate the clients in a specific VLAN that connects to different switches. Since port isolation cannot fulfill this requirement, users can use ACL to restrict.
This FAQ is going to guide you on how to set the ACL.
Topology:
Configuration:
Please navigate to Site-wide > Configure > Switches > ACL to set up the rules.
- Set up the rule to allow your DHCP server to provide a DHCP IP address. Rule 1 below is the example. You can change the source IP address to your DHCP server’s IP address and the other columns are the same.
- Set up the rule to allow the clients to access the Internet. Rule 2 & 3 below are the examples. You can change the subnet if your subnet is not 192.168.1.x. You must change the MAC address to your firewall's MAC address with mask FF:FF:FF:FF:FF:00.
- Set up the deny rule to deny other traffic. Rule 4 below is the example. You can change the subnet if your subnet is not 192.168.1.x.
Verify:
The results are below. I can ping to the Internet and the firewall, but cannot ping to other devices.
Zyxel Melen
0
Categories
- All Categories
- 396 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 86 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 915 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 912 Nebula FAQ
- 419 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight