ACL Grandstream GWN78XX switches

How to deny access from IP phones to PCs via ACL in Grandstream GWN78XX switch

by
ACL Grandstream GWN78XX switches

Description

This article describes the steps to configure ACL to block access from IP Phones to PCs in the Grandstream GWN78XX switch.

SW1 (config) # deny ip icmp 192.168.20.1 host 192.168.10.1

SW1 (config) # permit ip any any

Network Diagram

VLAN 20 for IP Phones: 192.168.20.x
VLAN 10 for PCs: 192.168.2.x

How-to

  1. Configure VLAN 10 and VLAN 20 under Switching > VLAN. Refer to the VLAN guide.
  2. Go to Security > ACL > create IPv4 ACL with a rule of Drop action:
Figure 1 Configure a Drop Action ACL rule with Source IP and Destination IP

3. Configure another rule to Allow any Source IP to any Destination IP

Figure 2: Create another rule to Allow ALL

Figure 3 shows 2 rules under the ACL

4. Go to ACL Binding and bind the port with ACL

Figure 4. Port binding is required

Ping test

All packets with source IP 192.168.20.* and destination IP 192.168.1.* are all dropped (ICMP reply packet), it is expected the PC cannot ping the IP Phones.

Figure 5 It is expected the ping test timeout

What if

What if you want to restrict phones to the PC but allow access from the PC to phones?

It requires a firewall to fit this requirement in the switch.

It is not supported at the moment.