How to use ACL to isolate the clients in the same VLAN but connect to different switches?
Zyxel_Melen
Posts: 2,409 
Zyxel Employee
Zyxel Employee
Scenario:
A user might have many switches in one site and want to isolate the clients in a specific VLAN that connects to different switches. Since port isolation cannot fulfill this requirement, users can use ACL to restrict.
This FAQ is going to guide you on how to set the ACL.
Topology:
Configuration:
Please navigate to Site-wide > Configure > Switches > ACL to set up the rules.
- Set up the rule to allow your DHCP server to provide a DHCP IP address. Rule 1 below is the example. You can change the source IP address to your DHCP server’s IP address and the other columns are the same.
- Set up the rule to allow the clients to access the Internet. Rule 2 & 3 below are the examples. You can change the subnet if your subnet is not 192.168.1.x. You must change the MAC address to your firewall's MAC address with mask FF:FF:FF:FF:FF:00.
- Set up the deny rule to deny other traffic. Rule 4 below is the example. You can change the subnet if your subnet is not 192.168.1.x.
Verify:
The results are below. I can ping to the Internet and the firewall, but cannot ping to other devices.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight