Switch XMG1915 isolate port

2»

All Replies

  • PeterUK
    PeterUK Posts: 3,500  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2024

    Yes the router needs to do VLAN and then it need to not route to other LANs

    The only other way is if the switch did ACL by a Ethernet Type IP and Destination IP Address/Prefix 192.168.0.0/16 then policy rule to Discard the packet so that the device can't get to any other device and allowed to internet keep in mind if your router does DNS you need to Weight that rule high and allow it or have the device use like 8.8.8.8

    The switch does port isolation but its use is if you set it for ports 3 and 4 with port 2 not set for isolation then device on port 3 can't get to device on port 4 or the other way round but can go out port 2 as the uplink to the router

  • switcher
    switcher Posts: 8  Freshman Member
    First Comment Friend Collector

    Is there a switch that supports ACLs with comparable port speeds?

    I attempted to untag port 2, but the device can still access the LAN.

    Screenshot 2024-08-03 at 2.44.50 AM.png

  • PeterUK
    PeterUK Posts: 3,500  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Is there a switch that supports ACLs with comparable port speeds?

    XS1930-10

    Unless you can get you router to do tags and isolation

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,698  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @switcher ,

    Based on the screenshot you provided, we confirm that the XMG1915's port configuration with VLAN51 is correct. If devices connected to XMG1915's port 3 can still access devices on other ports (other VLAN), please contact the router vendor's support team to check the routing configuration.

    Judy

    Untitled Image

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • switcher
    switcher Posts: 8  Freshman Member
    First Comment Friend Collector

    @PeterUK I've successfully purchased the XS1930-10. Could you please guide me on how to prevent the device from accessing the LAN? preferably via MAC address?

  • PeterUK
    PeterUK Posts: 3,500  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2024

    So the switch ACL is ingress blocking I recommend you use go to Security > classifier > classifier global set match order to manual also note Zyxel ACL system is allow unless you block.

    So here your device you want to block on port 1 connecting to another device by it MAC is how the a classifier would look

    Screenshot 2024-08-20 141214.png

    Then you need to add a Policy rule for this classifier to Discard the packet note you can hold down Control key to add many classifiers.

    Screenshot 2024-08-20 141314.png

    The order of the Policy rule does not matter its the Weight set by the classifier the higher the Weight the higher the priority.

    If your goal is to block this device from accessing 192.168.0.0/16 you make a classifier with port 1 Ethernet type IP and destination IP address 192.168.0.0/16 with Weight 32760 to Discard the packet then you need a classifier for DNS to your router like 192.168.0.1 so port 1 Ethernet type IP and destination IP address 192.168.0.1/32 destination port 53 with Weight 32767 and make a Policy rule with no change so the order will allow device on port 1 to 192.168.0.1 and block every IP going to 192.168.0.0/16

    Or another way you can allow device MAC to gateway MAC only which is a bit more to setup as you need to allow FF:FF:FF:FF:FF:FF for DHCP and ARP destination MAC

Categories

Switch Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)