issues with understanding/get working L2 Isolation betwen fixed networks

cfts_ea
cfts_ea Posts: 19  Freshman Member
First Anniversary 10 Comments
edited December 2023 in Security

We have just got an ATP800, and thrilled with it, but I'm still having issues with L2 isolation between physical ports.

Our current config port wise is:
Core | Peplink | VPN_Link |Workshop| CCTV| Wi-Fi | Pr_Failover | ZUKU|ge9|ge10|ge11|ge12|ge13|ge14

I want to isolate Wi-Fi, ZUJU, Workshop and CCTV, From Core. e.g. traffic from these networks should not cross into Core other than for the allow list.

As I understand things, putting 'Wi-Fi, Workshop, CCTV' into the member's list should be sufficient, possible for confirmation and correction if required, I have attached some picks which should explain.

I have read various Zyxel documentation on this, but it seems I'm missing something.

Thank you in advance. :)

Accepted Solution

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @cfts_ea ,

    The "port" you configure is layer 3 IP interface.

    So that you need to set interface Core to a ZONE(Object > ZONE), ex: Core ZONE.

    And interfaces Workshop/CCTV/Wi-Fi/ZUKU into another ZONE, ex: ZONE1.

    And then go to Security Policy > Policy Control to add rules,

    rule1: From ZONE1 to Core, src: any, dst: address group of allow list, service: any, action: allow

    rule2: From ZONE1 to Core, src: any, dst: any, service: any, action: deny.

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @cfts_ea ,

    The "port" you configure is layer 3 IP interface.

    So that you need to set interface Core to a ZONE(Object > ZONE), ex: Core ZONE.

    And interfaces Workshop/CCTV/Wi-Fi/ZUKU into another ZONE, ex: ZONE1.

    And then go to Security Policy > Policy Control to add rules,

    rule1: From ZONE1 to Core, src: any, dst: address group of allow list, service: any, action: allow

    rule2: From ZONE1 to Core, src: any, dst: any, service: any, action: deny.

  • cfts_ea
    cfts_ea Posts: 19  Freshman Member
    First Anniversary 10 Comments
    edited February 5

    Sorry, and thank you, I only just got back to this I'd setup a Raspberry Pi, to do this, and will now look at seeing if this function can be implemented in the ATP, with the above info :)

Security Highlight