How to use ACL to isolate the clients in the same VLAN but connect to different switches?

Zyxel_Melen
Zyxel_Melen Posts: 1,617  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer

Scenario:

A user might have many switches in one site and want to isolate the clients in a specific VLAN that connects to different switches. Since port isolation cannot fulfill this requirement, users can use ACL to restrict.

This FAQ is going to guide you on how to set the ACL.

Topology:

Configuration:

Please navigate to Site-wide > Configure > Switches > ACL to set up the rules.

  1. Set up the rule to allow your DHCP server to provide a DHCP IP address. Rule 1 below is the example. You can change the source IP address to your DHCP server’s IP address and the other columns are the same.
  2. Set up the rule to allow the clients to access the Internet. Rule 2 & 3 below are the examples. You can change the subnet if your subnet is not 192.168.1.x. You must change the MAC address to your firewall's MAC address with mask FF:FF:FF:FF:FF:00.
  3. Set up the deny rule to deny other traffic. Rule 4 below is the example. You can change the subnet if your subnet is not 192.168.1.x.

Verify:

The results are below. I can ping to the Internet and the firewall, but cannot ping to other devices.

Zyxel Melen