Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
T
T
Talyan2020-09-04 14:39:52
Computer networks
Talyan, 2020-09-04 14:39:52

Why don't VLAN ACLs work on D-Link?

There is a D-Link DES-3200-18 rev. A1

When creating ACLs for subscribers, we usually apply ACLs specifically to specified ports. If the service on the port changes, we demolish all ACLs and place them again, binding to each port.

I decided to confuse the ACL with a binding not to the port, but to the VLAN, so that when changing the service on the port, it would be enough to change the VLAN and apply the ACL for the VLAN that is specified on the port.

It turned out like this:

DES-3200-18:5#sh conf cur begin "ACL"
Command: show config current_config begin "ACL"
# ACL

#Правило для VLAN'ов, по которым предоставляется PPPoE. Разрешаю PADI/PADO пакеты.
create access_profile  ethernet  vlan 0xFF ethernet_type  profile_id 2
config access_profile profile_id 2  add access_id 1  ethernet  vlan v100 ethernet_type 0x8863    port 1-16 permit
config access_profile profile_id 2  add access_id 2  ethernet  vlan v100 ethernet_type 0x8864    port 1-16 permit


#Правило для VLAN, по которому гонится SIP - разрешаю всё в 15-ом VLAN'е
create access_profile  ethernet  vlan 0xFF source_mac 00-00-00-00-00-00  profile_id 3
config access_profile profile_id 3  add access_id 1  ethernet  vlan v15 source_mac 00-00-00-00-00-00  port 1-16 permit



#Остальное - блочим нафиг
create access_profile  ethernet  source_mac 00-00-00-00-00-00  profile_id 512
config access_profile profile_id 512  add access_id 1  ethernet  source_mac 00-00-00-00-00-00  port 1-16 deny
disable cpu_interface_filtering


As a result:
I registered ipif in 15 and 100 vlan on the address switch, so that later I could try to ping them and check the rules.
If I put an access on the port of the 15th VLAN, everything works - the ping goes. I set VLAN 100 - pings do not pass, arps are blocked. All right.

But: I put both VLANs, both 15 and 100, with a tag on the switch port at once, I
configure a SIP gateway with VLAN support - I put the 15th one on the WAN port, and on the 1st LAN port I forward the 100th VLAN bridge in the SIP gateway (we sometimes we do - we give two services from one port). As a result, the SIP gateway can ping the switch in the 15th VLAN, and the laptop behind the gateway in the 100th VLAN, out of some kind of fright, also suddenly starts to ping the switch in the 100th VLAN. As if ACL'am do not care that the laptop is in the 100th VLAN.

How is this supposed to work in general? maybe I set the VLAN mask incorrectly? I have not found information anywhere on the Internet about what a VLAN mask is and how to calculate it. All clambered - there is nothing.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
A
Anton Vertov2018-06-25 10:43:42
Where do devices appear in the "Network" tab? 6Reply
M
Maga Izdaga2021-09-24 13:14:28
How, sitting behind the provider's nat, does the requested info from the Internet know the exact client's network? 3Reply
A
Alexey2018-06-26 19:51:56
What is the principle of transferring data from one local network to another? 2Reply
E
Egor Shelov2020-06-28 17:17:27
No ports except 80 are opened. What should I do? 2Reply
M
Magzhan Birgebayuly2016-02-11 15:28:01
How can I make apache+php send itself a request every hour? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question