issues with understanding/get working L2 Isolation betwen fixed networks

Options
cfts_ea
cfts_ea Posts: 19 image  Freshman Member
First Comment Fifth Anniversary
edited December 2023 in Security

We have just got an ATP800, and thrilled with it, but I'm still having issues with L2 isolation between physical ports.

Our current config port wise is:
Core | Peplink | VPN_Link |Workshop| CCTV| Wi-Fi | Pr_Failover | ZUKU|ge9|ge10|ge11|ge12|ge13|ge14

I want to isolate Wi-Fi, ZUJU, Workshop and CCTV, From Core. e.g. traffic from these networks should not cross into Core other than for the allow list.

As I understand things, putting 'Wi-Fi, Workshop, CCTV' into the member's list should be sufficient, possible for confirmation and correction if required, I have attached some picks which should explain.

I have read various Zyxel documentation on this, but it seems I'm missing something.

Allow List.png
Ethernet Config.png
Layer 2 Isolation.png
Port Groups.png

Thank you in advance. :)

Accepted Solution

  • zyman2008
    zyman2008 Posts: 241 image  Master Member
    50 Answers First Comment Friend Collector Eighth Anniversary
    Answer ✓

    Hi @cfts_ea ,

    The "port" you configure is layer 3 IP interface.

    So that you need to set interface Core to a ZONE(Object > ZONE), ex: Core ZONE.

    And interfaces Workshop/CCTV/Wi-Fi/ZUKU into another ZONE, ex: ZONE1.

    And then go to Security Policy > Policy Control to add rules,

    rule1: From ZONE1 to Core, src: any, dst: address group of allow list, service: any, action: allow

    rule2: From ZONE1 to Core, src: any, dst: any, service: any, action: deny.

All Replies

  • zyman2008
    zyman2008 Posts: 241 image  Master Member
    50 Answers First Comment Friend Collector Eighth Anniversary
    Answer ✓

    Hi @cfts_ea ,

    The "port" you configure is layer 3 IP interface.

    So that you need to set interface Core to a ZONE(Object > ZONE), ex: Core ZONE.

    And interfaces Workshop/CCTV/Wi-Fi/ZUKU into another ZONE, ex: ZONE1.

    And then go to Security Policy > Policy Control to add rules,

    rule1: From ZONE1 to Core, src: any, dst: address group of allow list, service: any, action: allow

    rule2: From ZONE1 to Core, src: any, dst: any, service: any, action: deny.

  • cfts_ea
    cfts_ea Posts: 19 image  Freshman Member
    First Comment Fifth Anniversary
    edited February 2024

    Sorry, and thank you, I only just got back to this I'd setup a Raspberry Pi, to do this, and will now look at seeing if this function can be implemented in the ATP, with the above info :)

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)