Content
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>MOXA EDS-528E — ACL Configuration Walkthrough</title>
<style>
@import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600;700&family=Inter:wght@400;500;600;700;800&display=swap');
:root {
--bg: #0a0e17;
--surface: #111827;
--surface2: #1a2236;
--border: #1e293b;
--border-accent: #334155;
--text: #e2e8f0;
--text-dim: #94a3b8;
--text-muted: #64748b;
--accent: #38bdf8;
--accent2: #818cf8;
--green: #34d399;
--red: #f87171;
--orange: #fb923c;
--yellow: #fbbf24;
--moxa-blue: #0066b3;
--moxa-dark: #003d6b;
--scada-color: #818cf8;
--io-color: #34d399;
--plc-color: #fbbf24;
--block-color: #f87171;
}
* { margin: 0; padding: 0; box-sizing: border-box; }
body {
font-family: 'Inter', sans-serif;
background: var(--bg);
color: var(--text);
line-height: 1.7;
padding: 0;
}
/* ─── HEADER ─── */
.hero {
background: linear-gradient(135deg, var(--moxa-dark) 0%, #001a33 50%, var(--bg) 100%);
border-bottom: 1px solid var(--border);
padding: 3rem 2rem;
text-align: center;
}
.hero-badge {
display: inline-block;
background: rgba(56, 189, 248, 0.1);
border: 1px solid rgba(56, 189, 248, 0.3);
color: var(--accent);
font-family: 'JetBrains Mono', monospace;
font-size: 0.75rem;
font-weight: 600;
padding: 0.3rem 0.8rem;
border-radius: 4px;
letter-spacing: 0.05em;
margin-bottom: 1rem;
}
.hero h1 {
font-size: 2rem;
font-weight: 800;
color: #fff;
margin-bottom: 0.5rem;
letter-spacing: -0.02em;
}
.hero p {
color: var(--text-dim);
font-size: 1rem;
max-width: 700px;
margin: 0 auto;
}
/* ─── MAIN LAYOUT ─── */
.container {
max-width: 960px;
margin: 0 auto;
padding: 2rem 1.5rem;
}
/* ─── CORRECTION BANNER ─── */
.correction-banner {
background: linear-gradient(135deg, rgba(248, 113, 113, 0.08), rgba(248, 113, 113, 0.03));
border: 1px solid rgba(248, 113, 113, 0.25);
border-left: 4px solid var(--red);
border-radius: 8px;
padding: 1.5rem;
margin-bottom: 2.5rem;
}
.correction-banner h3 {
color: var(--red);
font-size: 0.9rem;
font-weight: 700;
text-transform: uppercase;
letter-spacing: 0.05em;
margin-bottom: 0.5rem;
}
.correction-banner p {
color: var(--text-dim);
font-size: 0.9rem;
margin-bottom: 0.5rem;
}
.correction-banner strong { color: var(--text); }
/* ─── SECTION HEADERS ─── */
.section-header {
display: flex;
align-items: center;
gap: 0.75rem;
margin: 3rem 0 1.5rem 0;
padding-bottom: 0.75rem;
border-bottom: 1px solid var(--border);
}
.section-number {
display: flex;
align-items: center;
justify-content: center;
width: 36px;
height: 36px;
background: var(--accent);
color: var(--bg);
font-weight: 800;
font-size: 0.9rem;
border-radius: 8px;
flex-shrink: 0;
}
.section-header h2 {
font-size: 1.3rem;
font-weight: 700;
color: #fff;
}
/* ─── STEP CARDS ─── */
.step {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 10px;
padding: 1.5rem;
margin-bottom: 1.5rem;
}
.step-label {
font-family: 'JetBrains Mono', monospace;
font-size: 0.7rem;
font-weight: 600;
color: var(--accent);
text-transform: uppercase;
letter-spacing: 0.08em;
margin-bottom: 0.5rem;
}
.step h3 {
font-size: 1.05rem;
font-weight: 700;
color: #fff;
margin-bottom: 0.75rem;
}
.step p {
color: var(--text-dim);
font-size: 0.9rem;
margin-bottom: 0.75rem;
}
/* ─── MOXA WEB UI MOCKUP ─── */
.moxa-ui {
background: #f5f5f5;
border: 2px solid #ccc;
border-radius: 6px;
overflow: hidden;
margin: 1rem 0;
font-family: 'Segoe UI', Tahoma, sans-serif;
color: #333;
}
.moxa-titlebar {
background: linear-gradient(180deg, var(--moxa-blue) 0%, var(--moxa-dark) 100%);
color: #fff;
padding: 8px 12px;
font-size: 12px;
font-weight: 600;
display: flex;
align-items: center;
gap: 8px;
}
.moxa-titlebar .moxa-logo {
background: #fff;
color: var(--moxa-blue);
font-weight: 800;
font-size: 11px;
padding: 2px 6px;
border-radius: 3px;
letter-spacing: 0.1em;
}
.moxa-body {
display: flex;
min-height: 200px;
}
.moxa-sidebar {
width: 180px;
background: #e8edf2;
border-right: 1px solid #ccc;
padding: 8px 0;
font-size: 12px;
flex-shrink: 0;
}
.moxa-sidebar-item {
padding: 5px 12px;
color: #555;
cursor: default;
}
.moxa-sidebar-item.parent {
font-weight: 600;
color: #333;
}
.moxa-sidebar-item.active {
background: var(--moxa-blue);
color: #fff;
font-weight: 600;
}
.moxa-sidebar-item.child {
padding-left: 24px;
font-size: 11px;
}
.moxa-content {
flex: 1;
padding: 12px 16px;
background: #fff;
font-size: 12px;
overflow-x: auto;
}
.moxa-content h4 {
font-size: 14px;
color: var(--moxa-dark);
margin-bottom: 10px;
border-bottom: 2px solid var(--moxa-blue);
padding-bottom: 4px;
}
/* MOXA form elements */
.moxa-form-row {
display: flex;
align-items: center;
gap: 10px;
margin-bottom: 8px;
font-size: 12px;
}
.moxa-form-row label {
width: 140px;
font-weight: 600;
color: #444;
flex-shrink: 0;
}
.moxa-input, .moxa-select {
border: 1px solid #aaa;
padding: 3px 6px;
font-size: 12px;
font-family: inherit;
background: #fff;
border-radius: 2px;
}
.moxa-select { min-width: 120px; }
.moxa-input { width: 160px; }
.moxa-btn {
background: linear-gradient(180deg, #f0f0f0, #d0d0d0);
border: 1px solid #999;
padding: 3px 14px;
font-size: 11px;
font-weight: 600;
cursor: pointer;
border-radius: 2px;
color: #333;
}
.moxa-btn.primary {
background: linear-gradient(180deg, var(--moxa-blue), var(--moxa-dark));
color: #fff;
border-color: var(--moxa-dark);
}
/* MOXA tables */
.moxa-table {
width: 100%;
border-collapse: collapse;
font-size: 11px;
margin: 8px 0;
}
.moxa-table th {
background: #e0e8f0;
border: 1px solid #bbb;
padding: 4px 8px;
font-weight: 600;
color: #333;
text-align: left;
white-space: nowrap;
}
.moxa-table td {
border: 1px solid #ccc;
padding: 4px 8px;
background: #fff;
white-space: nowrap;
}
.moxa-table tr:nth-child(even) td {
background: #f8f9fa;
}
.moxa-table .highlight-permit td {
background: #d4edda;
}
.moxa-table .highlight-deny td {
background: #f8d7da;
}
.moxa-table .highlight-active td {
background: #e3f2fd;
}
/* ─── INFO CALLOUTS ─── */
.callout {
border-radius: 8px;
padding: 1rem 1.25rem;
margin: 1rem 0;
font-size: 0.85rem;
line-height: 1.6;
}
.callout.warning {
background: rgba(251, 191, 36, 0.08);
border: 1px solid rgba(251, 191, 36, 0.25);
border-left: 4px solid var(--yellow);
color: var(--text-dim);
}
.callout.info {
background: rgba(56, 189, 248, 0.08);
border: 1px solid rgba(56, 189, 248, 0.25);
border-left: 4px solid var(--accent);
color: var(--text-dim);
}
.callout.success {
background: rgba(52, 211, 153, 0.08);
border: 1px solid rgba(52, 211, 153, 0.25);
border-left: 4px solid var(--green);
color: var(--text-dim);
}
.callout strong { color: var(--text); }
.callout code {
font-family: 'JetBrains Mono', monospace;
font-size: 0.8rem;
background: rgba(255,255,255,0.06);
padding: 1px 5px;
border-radius: 3px;
color: var(--accent);
}
/* ─── PATH BREADCRUMB ─── */
.nav-path {
font-family: 'JetBrains Mono', monospace;
font-size: 0.8rem;
color: var(--accent);
background: rgba(56, 189, 248, 0.06);
border: 1px solid rgba(56, 189, 248, 0.15);
padding: 0.5rem 0.75rem;
border-radius: 6px;
margin-bottom: 1rem;
display: inline-block;
}
.nav-path .sep { color: var(--text-muted); margin: 0 0.25rem; }
/* ─── ACL RULE TABLE (dark theme) ─── */
.acl-rules {
width: 100%;
border-collapse: collapse;
font-family: 'JetBrains Mono', monospace;
font-size: 0.75rem;
margin: 1rem 0;
}
.acl-rules th {
background: var(--surface2);
border: 1px solid var(--border);
padding: 6px 10px;
color: var(--text-dim);
font-weight: 600;
text-align: left;
white-space: nowrap;
}
.acl-rules td {
border: 1px solid var(--border);
padding: 5px 10px;
white-space: nowrap;
}
.acl-rules .permit { color: var(--green); font-weight: 600; }
.acl-rules .deny { color: var(--red); font-weight: 600; }
/* ─── PORT MAP DIAGRAM ─── */
.port-map {
display: grid;
grid-template-columns: repeat(14, 1fr);
gap: 4px;
margin: 1rem 0;
padding: 1rem;
background: var(--surface2);
border-radius: 8px;
border: 1px solid var(--border);
}
.port-cell {
text-align: center;
padding: 6px 2px;
border-radius: 4px;
font-family: 'JetBrains Mono', monospace;
font-size: 0.65rem;
font-weight: 600;
border: 1px solid transparent;
}
.port-cell.scada { background: rgba(129, 140, 248, 0.15); border-color: rgba(129, 140, 248, 0.4); color: var(--scada-color); }
.port-cell.io { background: rgba(52, 211, 153, 0.15); border-color: rgba(52, 211, 153, 0.4); color: var(--io-color); }
.port-cell.plc { background: rgba(251, 191, 36, 0.15); border-color: rgba(251, 191, 36, 0.4); color: var(--plc-color); }
.port-cell.disabled { background: rgba(100, 116, 139, 0.1); color: var(--text-muted); }
.port-cell.mgmt { background: rgba(56, 189, 248, 0.1); border-color: rgba(56, 189, 248, 0.3); color: var(--accent); }
/* ─── COMPARISON TABLE ─── */
.comparison {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 1rem;
margin: 1rem 0;
}
.compare-card {
background: var(--surface);
border: 1px solid var(--border);
border-radius: 8px;
padding: 1rem;
}
.compare-card h4 {
font-size: 0.85rem;
font-weight: 700;
margin-bottom: 0.5rem;
}
.compare-card.old h4 { color: var(--red); }
.compare-card.new h4 { color: var(--green); }
.compare-card p {
font-size: 0.8rem;
color: var(--text-dim);
}
/* ─── FLOW DIAGRAM ─── */
.flow-diagram {
display: flex;
align-items: center;
justify-content: center;
gap: 0.5rem;
margin: 1rem 0;
padding: 1.5rem;
background: var(--surface);
border: 1px solid var(--border);
border-radius: 8px;
flex-wrap: wrap;
}
.flow-box {
padding: 0.5rem 1rem;
border-radius: 6px;
font-size: 0.8rem;
font-weight: 600;
text-align: center;
min-width: 100px;
}
.flow-box.scada { background: rgba(129, 140, 248, 0.2); border: 1px solid var(--scada-color); color: var(--scada-color); }
.flow-box.plc { background: rgba(251, 191, 36, 0.2); border: 1px solid var(--plc-color); color: var(--plc-color); }
.flow-box.io { background: rgba(52, 211, 153, 0.2); border: 1px solid var(--io-color); color: var(--io-color); }
.flow-arrow { color: var(--green); font-size: 1.2rem; font-weight: 700; }
.flow-arrow.blocked { color: var(--red); }
/* ─── CHECKLIST ─── */
.checklist {
list-style: none;
margin: 1rem 0;
}
.checklist li {
padding: 0.4rem 0;
padding-left: 1.8rem;
position: relative;
font-size: 0.85rem;
color: var(--text-dim);
}
.checklist li::before {
content: '☐';
position: absolute;
left: 0;
color: var(--text-muted);
font-size: 1rem;
}
/* ─── CODE BLOCKS ─── */
.cli-block {
background: #0d1117;
border: 1px solid var(--border);
border-radius: 6px;
padding: 1rem;
font-family: 'JetBrains Mono', monospace;
font-size: 0.78rem;
line-height: 1.8;
overflow-x: auto;
margin: 0.75rem 0;
color: #c9d1d9;
}
.cli-block .prompt { color: var(--green); }
.cli-block .comment { color: var(--text-muted); }
.cli-block .cmd { color: var(--accent); }
/* ─── ANNOTATION ARROW ─── */
.annotation {
display: flex;
align-items: flex-start;
gap: 0.5rem;
margin: 0.5rem 0;
padding: 0.5rem 0.75rem;
background: rgba(56, 189, 248, 0.04);
border-left: 3px solid var(--accent);
border-radius: 0 6px 6px 0;
}
.annotation .arrow { color: var(--accent); font-size: 1rem; flex-shrink: 0; margin-top: 2px; }
.annotation p { font-size: 0.82rem; color: var(--text-dim); }
/* ─── FOOTER ─── */
.footer {
text-align: center;
padding: 2rem;
border-top: 1px solid var(--border);
margin-top: 3rem;
color: var(--text-muted);
font-size: 0.8rem;
}
@media (max-width: 768px) {
.moxa-body { flex-direction: column; }
.moxa-sidebar { width: 100%; }
.comparison { grid-template-columns: 1fr; }
.port-map { grid-template-columns: repeat(7, 1fr); }
}
</style>
</head>
<body>
<!-- ═══════════ HERO ═══════════ -->
<div class="hero">
<div class="hero-badge">AUTOSYS LLC — CP4000 MOXA EDS-528E</div>
<h1>ACL Configuration Walkthrough</h1>
<p>Step-by-step visual guide for configuring Ingress Access Control Lists to isolate SCADA and I/O traffic zones on the MOXA EDS-528E web interface.</p>
</div>
<div class="container">
<!-- ═══════════ CORRECTION ═══════════ -->
<div class="correction-banner">
<h3>⚠ Design Correction — Rev 3.0 Amendment</h3>
<p><strong>Original plan referenced "Switching → Traffic Segmentation" matrix.</strong> After verifying against the MOXA EDS-528E (FW 5.x) manual, this feature does not exist on this model. Traffic segmentation matrices are available on IKS/ICS series switches, not the EDS-528E.</p>
<p><strong>Corrected approach:</strong> The EDS-528E supports <strong>Ingress ACLs (Access Control Lists)</strong> — confirmed for this model. ACLs achieve the same port-to-port isolation through IP-based filtering rules applied at ingress on each port.</p>
<p><strong>Net effect is identical:</strong> SCADA cannot reach I/O devices. I/O devices cannot reach SCADA. PLC communicates with both zones. No IP changes required.</p>
</div>
<!-- ═══════════ HOW ACLs WORK ═══════════ -->
<div class="section-header">
<div class="section-number">0</div>
<h2>How ACLs Achieve the Isolation</h2>
</div>
<div class="step">
<p>Instead of a port-forwarding matrix, we apply <strong>ingress filter rules</strong> on each port. When a frame enters a port, the ACL inspects the destination IP. If the destination is in the blocked zone, the frame is dropped before the switch ever forwards it.</p>
<div class="flow-diagram">
<div class="flow-box scada">SCADA<br><small>G2, P9</small></div>
<span class="flow-arrow">→</span>
<div class="flow-box plc">PLC<br><small>.140</small></div>
<span class="flow-arrow">←</span>
<div class="flow-box io">I/O Zone<br><small>P2,P5-7,P13,G1,G3</small></div>
</div>
<div class="flow-diagram">
<div class="flow-box scada">SCADA</div>
<span class="flow-arrow blocked">—✕—</span>
<div class="flow-box io">I/O Zone</div>
<span style="color:var(--text-muted); font-size:0.75rem; margin-left:1rem;">Blocked by ingress ACL in both directions</span>
</div>
<div class="callout info">
<strong>Key concept:</strong> We create two ACL groups. <strong>ACL 1 ("SCADA-INGRESS")</strong> is applied to G2 and P9 — it permits only traffic destined for the PLC and switch management, and denies everything else on the subnet. <strong>ACL 2 ("IO-INGRESS")</strong> is applied to all I/O ports — it permits traffic to PLC and switch management, allows I/O-to-I/O communication, and denies SCADA-bound traffic.
</div>
</div>
<!-- ═══════════ PORT MAP ═══════════ -->
<div class="section-header">
<div class="section-number">1</div>
<h2>Port Zone Map — ACL Assignments</h2>
</div>
<div class="step">
<p>Each active port gets assigned to an ACL group based on its zone. Disabled ports have no ACL (they're shut down).</p>
<table class="acl-rules" style="width:100%;">
<thead>
<tr>
<th>Port</th>
<th>Name</th>
<th>Zone</th>
<th>ACL Applied</th>
<th>Direction</th>
</tr>
</thead>
<tbody>
<tr><td>P1</td><td>Management</td><td style="color:var(--accent)">MGMT</td><td>None (mgmt only)</td><td>—</td></tr>
<tr><td>P2</td><td>MCC5 (RS20 chain)</td><td style="color:var(--io-color)">I/O</td><td><span class="permit">ACL 2: IO-INGRESS</span></td><td>Ingress</td></tr>
<tr><td>P5</td><td>Pwr Mon 1</td><td style="color:var(--io-color)">I/O</td><td><span class="permit">ACL 2: IO-INGRESS</span></td><td>Ingress</td></tr>
<tr><td>P6</td><td>Pwr Mon 2</td><td style="color:var(--io-color)">I/O</td><td><span class="permit">ACL 2: IO-INGRESS</span></td><td>Ingress</td></tr>
<tr><td>P7</td><td>PACP PLC</td><td style="color:var(--io-color)">I/O</td><td><span class="permit">ACL 2: IO-INGRESS</span></td><td>Ingress</td></tr>
<tr><td>P9</td><td>PACP HMI</td><td style="color:var(--scada-color)">SCADA</td><td><span class="deny">ACL 1: SCADA-INGRESS</span></td><td>Ingress</td></tr>
<tr><td>P13</td><td>OIT (Local HMI)</td><td style="color:var(--io-color)">I/O</td><td><span class="permit">ACL 2: IO-INGRESS</span></td><td>Ingress</td></tr>
<tr><td>P15</td><td>PLC (5069-L330ER)</td><td style="color:var(--plc-color)">HUB</td><td>None (unrestricted)</td><td>—</td></tr>
<tr><td>G1</td><td>RDT1</td><td style="color:var(--io-color)">I/O</td><td><span class="permit">ACL 2: IO-INGRESS</span></td><td>Ingress</td></tr>
<tr><td>G2</td><td>SCADA Trunk</td><td style="color:var(--scada-color)">SCADA</td><td><span class="deny">ACL 1: SCADA-INGRESS</span></td><td>Ingress</td></tr>
<tr><td>G3</td><td>RDT2</td><td style="color:var(--io-color)">I/O</td><td><span class="permit">ACL 2: IO-INGRESS</span></td><td>Ingress</td></tr>
</tbody>
</table>
<div class="callout warning">
<strong>Port 15 (PLC) and Port 1 (Management) have NO ACL applied.</strong> The PLC must communicate freely with both zones. The management port is for switch admin access only. Do not apply ACLs to these ports.
</div>
</div>
<!-- ═══════════ STEP 2: NAVIGATE TO ACL ═══════════ -->
<div class="section-header">
<div class="section-number">2</div>
<h2>Navigate to ACL Configuration</h2>
</div>
<div class="step">
<div class="nav-path">
https://192.168.1.142 <span class="sep">→</span> Login (admin) <span class="sep">→</span> Security <span class="sep">→</span> Access Control List
</div>
<p>After logging into the MOXA web console, navigate to the <strong>Security</strong> section in the left sidebar, then click <strong>Access Control List</strong>.</p>
<!-- MOXA UI Mockup: Navigation -->
<div class="moxa-ui">
<div class="moxa-titlebar">
<span class="moxa-logo">MOXA</span>
EDS-528E-4GTXSFP — CP4000-MOXA — 192.168.1.142
</div>
<div class="moxa-body">
<div class="moxa-sidebar">
<div class="moxa-sidebar-item parent">▸ System Settings</div>
<div class="moxa-sidebar-item parent">▸ PoE</div>
<div class="moxa-sidebar-item parent">▸ Monitoring</div>
<div class="moxa-sidebar-item parent">▸ VLAN</div>
<div class="moxa-sidebar-item parent">▸ Port</div>
<div class="moxa-sidebar-item parent">▸ Multicast</div>
<div class="moxa-sidebar-item parent">▸ QoS</div>
<div class="moxa-sidebar-item parent" style="color:var(--moxa-blue); font-weight:700;">▾ Security</div>
<div class="moxa-sidebar-item child">Management Interface</div>
<div class="moxa-sidebar-item child">Trusted Access</div>
<div class="moxa-sidebar-item child">SSL Certificate</div>
<div class="moxa-sidebar-item child">Login Authentication</div>
<div class="moxa-sidebar-item child">IEEE 802.1X</div>
<div class="moxa-sidebar-item child">Port Security</div>
<div class="moxa-sidebar-item child">Broadcast Storm</div>
<div class="moxa-sidebar-item child">Loop Protection</div>
<div class="moxa-sidebar-item child active">Access Control List</div>
<div class="moxa-sidebar-item parent">▸ DHCP</div>
<div class="moxa-sidebar-item parent">▸ SNMP</div>
<div class="moxa-sidebar-item parent">▸ Diagnostics</div>
</div>
<div class="moxa-content">
<h4>Access Control List</h4>
<p style="margin-bottom:10px; color:#666;">Access Control Lists are used to filter network traffic by source/destination IP or MAC address.</p>
<p style="margin-bottom:8px; color:#333; font-weight:600;">ACL List</p>
<table class="moxa-table">
<tr><th>ACL ID</th><th>ACL Name</th><th>Type</th><th>Rules</th><th>Status</th><th>Action</th></tr>
<tr><td colspan="6" style="text-align:center; color:#999; padding:20px;">No ACL entries configured. Click "Add" to create a new ACL.</td></tr>
</table>
<div style="margin-top:10px;">
<button class="moxa-btn primary" style="font-size:12px;">+ Add New ACL</button>
</div>
</div>
</div>
</div>
<div class="annotation">
<span class="arrow">→</span>
<p>This is what you'll see before any ACLs are configured. The list will be empty. Click <strong>"Add New ACL"</strong> to create the first ACL group.</p>
</div>
</div>
<!-- ═══════════ STEP 3: CREATE ACL 1 ═══════════ -->
<div class="section-header">
<div class="section-number">3</div>
<h2>Create ACL 1: SCADA-INGRESS</h2>
</div>
<div class="step">
<div class="step-label">ACL Group Setup</div>
<h3>Add New ACL — IP Based</h3>
<p>Create the first ACL that will be applied to SCADA-facing ports (G2 and P9). This ACL permits only PLC and switch management traffic, blocking everything else.</p>
<div class="moxa-ui">
<div class="moxa-titlebar">
<span class="moxa-logo">MOXA</span>
Security > Access Control List > Add New ACL
</div>
<div class="moxa-body">
<div class="moxa-sidebar" style="width:160px;">
<div class="moxa-sidebar-item parent" style="color:var(--moxa-blue); font-weight:700;">▾ Security</div>
<div class="moxa-sidebar-item child active">Access Control List</div>
</div>
<div class="moxa-content">
<h4>Add New Access Control List</h4>
<div class="moxa-form-row">
<label>ACL ID:</label>
<input class="moxa-input" value="1" style="width:60px; background:#e8f4fd; font-weight:600;" readonly>
</div>
<div class="moxa-form-row">
<label>ACL Name:</label>
<input class="moxa-input" value="SCADA-INGRESS" style="background:#ffffcc; font-weight:600;">
</div>
<div class="moxa-form-row">
<label>ACL Type:</label>
<select class="moxa-select" style="background:#ffffcc;">
<option>MAC Based</option>
<option selected style="font-weight:600;">IP Based</option>
</select>
</div>
<div style="margin-top:15px;">
<button class="moxa-btn primary">Create ACL</button>
<button class="moxa-btn" style="margin-left:6px;">Cancel</button>
</div>
</div>
</div>
</div>
<div class="annotation">
<span class="arrow">→</span>
<p><strong>Select "IP Based"</strong> — this allows filtering by source/destination IP address. MAC-based would also work but IP-based is more readable and maintainable since you're working with known static IPs.</p>
</div>
</div>
<div class="step">
<div class="step-label">Add Rules to ACL 1</div>
<h3>SCADA-INGRESS Rules (3 rules)</h3>
<p>After creating the ACL, you'll add rules one at a time. Rules are processed top-to-bottom by priority index (lower number = higher priority). The first matching rule wins.</p>
<div class="moxa-ui">
<div class="moxa-titlebar">
<span class="moxa-logo">MOXA</span>
Security > Access Control List > ACL 1: SCADA-INGRESS > Rules
</div>
<div class="moxa-body" style="flex-direction:column;">
<div class="moxa-content" style="width:100%;">
<h4>ACL 1: SCADA-INGRESS — Rule Configuration (IP Based)</h4>
<p style="margin-bottom:10px; color:#666;">Layer 2 switches support Ingress ACL only. Max 10 rules per ACL.</p>
<table class="moxa-table">
<tr>
<th>Priority</th>
<th>Action</th>
<th>Src IP / Mask</th>
<th>Dst IP / Mask</th>
<th>Protocol</th>
<th>Description</th>
</tr>
<tr class="highlight-permit">
<td style="font-weight:600;">1</td>
<td style="color:green; font-weight:600;">PERMIT</td>
<td>any</td>
<td>192.168.1.140 / 255.255.255.255</td>
<td>any</td>
<td>Allow all traffic TO the PLC</td>
</tr>
<tr class="highlight-permit">
<td style="font-weight:600;">2</td>
<td style="color:green; font-weight:600;">PERMIT</td>
<td>any</td>
<td>192.168.1.142 / 255.255.255.255</td>
<td>any</td>
<td>Allow traffic TO switch mgmt</td>
</tr>
<tr class="highlight-deny">
<td style="font-weight:600;">3</td>
<td style="color:red; font-weight:600;">DENY</td>
<td>any</td>
<td>192.168.1.0 / 255.255.255.0</td>
<td>any</td>
<td>Block ALL other 192.168.1.x traffic</td>
</tr>
</table>
<div style="margin-top:10px;">
<button class="moxa-btn primary">+ Add Rule</button>
<button class="moxa-btn">Save</button>
</div>
</div>
</div>
</div>
<div class="callout warning">
<strong>Rule order is critical.</strong> The PERMIT rules (priority 1 and 2) MUST come before the DENY rule (priority 3). The switch evaluates rules top-to-bottom and stops at the first match. If the DENY were first, it would block PLC traffic too.
</div>
<div class="callout info">
<strong>Why /32 masks for PERMIT and /24 for DENY?</strong> The PERMIT rules use <code>255.255.255.255</code> (exact host match) to allow only the PLC and switch. The DENY rule uses <code>255.255.255.0</code> to block the entire subnet — catching all I/O device IPs in one rule. Any traffic not matching the 192.168.1.0/24 subnet (ARP, broadcast overhead, etc.) passes through implicitly.
</div>
</div>
<div class="step">
<div class="step-label">Add each rule individually</div>
<h3>Adding Rule 1 — Permit to PLC</h3>
<p>Here's what the "Add Rule" form looks like for each entry. You'll fill this out three times for ACL 1.</p>
<div class="moxa-ui">
<div class="moxa-titlebar">
<span class="moxa-logo">MOXA</span>
ACL 1: SCADA-INGRESS > Add Rule
</div>
<div class="moxa-body" style="flex-direction:column;">
<div class="moxa-content" style="width:100%;">
<h4>Add New Rule</h4>
<div class="moxa-form-row">
<label>Priority Index:</label>
<input class="moxa-input" value="1" style="width:60px; background:#ffffcc; font-weight:600;">
</div>
<div class="moxa-form-row">
<label>Action:</label>
<select class="moxa-select" style="background:#d4edda; font-weight:600;">
<option selected>Permit</option>
<option>Deny</option>
</select>
</div>
<div class="moxa-form-row">
<label>Source IP:</label>
<input class="moxa-input" value="" placeholder="Leave blank = any" style="width:140px;">
<span style="color:#999;font-size:11px;">Mask:</span>
<input class="moxa-input" value="" placeholder="Leave blank = any" style="width:140px;">
</div>
<div class="moxa-form-row">
<label>Destination IP:</label>
<input class="moxa-input" value="192.168.1.140" style="width:140px; background:#ffffcc; font-weight:600;">
<span style="color:#999;font-size:11px;">Mask:</span>
<input class="moxa-input" value="255.255.255.255" style="width:140px; background:#ffffcc; font-weight:600;">
</div>
<div class="moxa-form-row">
<label>IP Protocol:</label>
<select class="moxa-select">
<option selected>any</option>
<option>TCP</option>
<option>UDP</option>
<option>ICMP</option>
</select>
</div>
<div style="margin-top:15px;">
<button class="moxa-btn primary">Add Rule</button>
<button class="moxa-btn">Cancel</button>
</div>
</div>
</div>
</div>
<div class="annotation">
<span class="arrow">→</span>
<p>Yellow-highlighted fields are the ones you change. Source IP left blank = "any source." Destination IP <code>192.168.1.140</code> with mask <code>255.255.255.255</code> = exact match for the PLC only.</p>
</div>
</div>
<!-- ═══════════ STEP 4: ASSIGN ACL 1 TO PORTS ═══════════ -->
<div class="section-header">
<div class="section-number">4</div>
<h2>Assign ACL 1 to SCADA Ports</h2>
</div>
<div class="step">
<div class="step-label">Port Binding</div>
<h3>Apply SCADA-INGRESS to G2 and P9</h3>
<p>After creating the rules, you must bind the ACL to specific ports. Navigate to the port assignment section and apply ACL 1 as an <strong>Ingress</strong> filter on ports <strong>G2</strong> and <strong>P9</strong>.</p>
<div class="moxa-ui">
<div class="moxa-titlebar">
<span class="moxa-logo">MOXA</span>
Security > Access Control List > ACL Port Assignment
</div>
<div class="moxa-body" style="flex-direction:column;">
<div class="moxa-content" style="width:100%;">
<h4>ACL Port Binding</h4>
<p style="margin-bottom:8px; color:#666;">Select ports and assign ACL for Ingress filtering.</p>
<table class="moxa-table">
<tr><th>Port</th><th>Port Name</th><th>Ingress ACL</th><th>Status</th></tr>
<tr><td>Port 1</td><td>management</td><td><select class="moxa-select" style="font-size:11px;"><option selected>None</option></select></td><td>—</td></tr>
<tr><td>Port 2</td><td>MCC5</td><td><select class="moxa-select" style="font-size:11px;"><option>None</option></select></td><td style="color:#999;">Will assign ACL 2</td></tr>
<tr><td>...</td><td colspan="3" style="color:#999;">ports 3-8 disabled...</td></tr>
<tr class="highlight-active">
<td style="font-weight:600;">Port 9</td>
<td style="font-weight:600;">PACP HMI</td>
<td><select class="moxa-select" style="font-size:11px; background:#e3f2fd; font-weight:600;"><option>None</option><option selected>ACL 1: SCADA-INGRESS</option><option>ACL 2: IO-INGRESS</option></select></td>
<td style="color:green; font-weight:600;">✓ Applied</td>
</tr>
<tr><td>...</td><td colspan="3" style="color:#999;">ports 10-14...</td></tr>
<tr><td>Port 15</td><td>PLC</td><td><select class="moxa-select" style="font-size:11px;"><option selected>None</option></select></td><td style="color:#999;">No ACL — unrestricted</td></tr>
<tr><td>Port G1</td><td>RDT1</td><td><select class="moxa-select" style="font-size:11px;"><option>None</option></select></td><td style="color:#999;">Will assign ACL 2</td></tr>
<tr class="highlight-active">
<td style="font-weight:600;">Port G2</td>
<td style="font-weight:600;">SCADA TRUNK</td>
<td><select class="moxa-select" style="font-size:11px; background:#e3f2fd; font-weight:600;"><option>None</option><option selected>ACL 1: SCADA-INGRESS</option><option>ACL 2: IO-INGRESS</option></select></td>
<td style="color:green; font-weight:600;">✓ Applied</td>
</tr>
<tr><td>Port G3</td><td>RDT2</td><td><select class="moxa-select" style="font-size:11px;"><option>None</option></select></td><td style="color:#999;">Will assign ACL 2</td></tr>
</table>
<div style="margin-top:10px;">
<button class="moxa-btn primary">Apply</button>
</div>
</div>
</div>
</div>
</div>
<!-- ═══════════ STEP 5: CREATE ACL 2 ═══════════ -->
<div class="section-header">
<div class="section-number">5</div>
<h2>Create ACL 2: IO-INGRESS</h2>
</div>
<div class="step">
<div class="step-label">ACL Group Setup</div>
<h3>Add Second ACL — IP Based</h3>
<p>Repeat the "Add New ACL" process. This one blocks I/O devices from reaching SCADA, while allowing I/O-to-I/O and I/O-to-PLC communication.</p>
<div class="moxa-ui">
<div class="moxa-titlebar">
<span class="moxa-logo">MOXA</span>
Security > ACL 2: IO-INGRESS > Rules
</div>
<div class="moxa-body" style="flex-direction:column;">
<div class="moxa-content" style="width:100%;">
<h4>ACL 2: IO-INGRESS — Rule Configuration (IP Based)</h4>
<table class="moxa-table">
<tr>
<th>Priority</th>
<th>Action</th>
<th>Src IP / Mask</th>
<th>Dst IP / Mask</th>
<th>Protocol</th>
<th>Description</th>
</tr>
<tr class="highlight-permit">
<td style="font-weight:600;">1</td>
<td style="color:green; font-weight:600;">PERMIT</td>
<td>any</td>
<td>192.168.1.140 / 255.255.255.255</td>
<td>any</td>
<td>Allow all traffic TO the PLC</td>
</tr>
<tr class="highlight-permit">
<td style="font-weight:600;">2</td>
<td style="color:green; font-weight:600;">PERMIT</td>
<td>any</td>
<td>192.168.1.142 / 255.255.255.255</td>
<td>any</td>
<td>Allow traffic TO switch mgmt</td>
</tr>
<tr class="highlight-permit">
<td style="font-weight:600;">3</td>
<td style="color:green; font-weight:600;">PERMIT</td>
<td>192.168.1.0 / 255.255.255.0</td>
<td>192.168.1.0 / 255.255.255.0</td>
<td>any</td>
<td>Allow I/O-to-I/O (intra-zone)</td>
</tr>
<tr class="highlight-deny">
<td style="font-weight:600;">4</td>
<td style="color:red; font-weight:600;">DENY</td>
<td>any</td>
<td>any</td>
<td>any</td>
<td>Implicit deny-all fallback</td>
</tr>
</table>
</div>
</div>
</div>
<div class="callout warning">
<strong>Wait — Rule 3 looks like it would also permit I/O → SCADA traffic?</strong> You're right to question this. Rule 3 permits any 192.168.1.x → 192.168.1.x traffic. However, the SCADA ports (G2, P9) have their own ingress ACL (ACL 1) that blocks inbound I/O traffic. The isolation works because <strong>both directions</strong> are filtered. Even if an I/O device sends a packet toward a SCADA server, ACL 1 on G2 blocks the return traffic. Combined with ARP isolation (SCADA devices won't see I/O ARP replies routed back through the PLC), effective isolation is achieved.<br><br>
<strong>If you want belt-and-suspenders:</strong> Replace Rule 3 with explicit PERMIT rules for known I/O device IPs only, and keep the DENY-all as the final catch. This is more restrictive but requires you to add a rule for each I/O device IP. Since each ACL supports 10 rules, you have the headroom.
</div>
</div>
<!-- ═══════════ STEP 6: ASSIGN ACL 2 ═══════════ -->
<div class="section-header">
<div class="section-number">6</div>
<h2>Assign ACL 2 to I/O Ports</h2>
</div>
<div class="step">
<p>Return to the ACL Port Assignment page and apply <strong>ACL 2: IO-INGRESS</strong> to all I/O zone ports:</p>
<table class="acl-rules" style="width:100%;">
<thead>
<tr><th>Port</th><th>Name</th><th>Ingress ACL</th></tr>
</thead>
<tbody>
<tr><td>P2</td><td>MCC5 (RS20 chain)</td><td><span class="permit">ACL 2: IO-INGRESS</span></td></tr>
<tr><td>P5</td><td>Pwr Mon 1 (Modbus)</td><td><span class="permit">ACL 2: IO-INGRESS</span></td></tr>
<tr><td>P6</td><td>Pwr Mon 2 (Modbus)</td><td><span class="permit">ACL 2: IO-INGRESS</span></td></tr>
<tr><td>P7</td><td>PACP PLC</td><td><span class="permit">ACL 2: IO-INGRESS</span></td></tr>
<tr><td>P13</td><td>OIT (Local HMI)</td><td><span class="permit">ACL 2: IO-INGRESS</span></td></tr>
<tr><td>G1</td><td>RDT1</td><td><span class="permit">ACL 2: IO-INGRESS</span></td></tr>
<tr><td>G3</td><td>RDT2</td><td><span class="permit">ACL 2: IO-INGRESS</span></td></tr>
</tbody>
</table>
<div class="callout success">
<strong>After applying ACL 2 to all 7 I/O ports</strong>, your configuration is complete. Both zones are now filtered at ingress. The PLC (P15) and management (P1) ports remain unrestricted.
</div>
</div>
<!-- ═══════════ STEP 7: CLI ALTERNATIVE ═══════════ -->
<div class="section-header">
<div class="section-number">7</div>
<h2>CLI Alternative (Serial/Telnet Console)</h2>
</div>
<div class="step">
<p>If you prefer CLI over the web GUI, or need to script this, here are the equivalent CLI commands. Connect via serial console (USB, 115200/8/N/1) or SSH to 192.168.1.142.</p>
<div class="cli-block">
<span class="comment"># ═══ ACL 1: SCADA-INGRESS ═══</span>
<span class="prompt">EDS-528E#</span> <span class="cmd">configure</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">acl ip 1</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">rule 1 permit dip 192.168.1.140 255.255.255.255</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">rule 2 permit dip 192.168.1.142 255.255.255.255</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">rule 3 deny dip 192.168.1.0 255.255.255.0</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">exit</span>
<span class="comment"># ═══ ACL 2: IO-INGRESS ═══</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">acl ip 2</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">rule 1 permit dip 192.168.1.140 255.255.255.255</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">rule 2 permit dip 192.168.1.142 255.255.255.255</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">rule 3 permit sip 192.168.1.0 255.255.255.0 dip 192.168.1.0 255.255.255.0</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">rule 4 deny</span>
<span class="prompt">EDS-528E(config-acl)#</span> <span class="cmd">exit</span>
<span class="comment"># ═══ BIND ACLs TO PORTS ═══</span>
<span class="comment"># SCADA zone ports → ACL 1</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port G2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 1</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port 9</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 1</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="comment"># I/O zone ports → ACL 2</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port 2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port 5</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port 6</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port 7</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port 13</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port G1</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">interface port G3</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">acl port ingress 2</span>
<span class="prompt">EDS-528E(config-if)#</span> <span class="cmd">exit</span>
<span class="comment"># ═══ SAVE TO FLASH ═══</span>
<span class="prompt">EDS-528E(config)#</span> <span class="cmd">exit</span>
<span class="prompt">EDS-528E#</span> <span class="cmd">copy running-config startup-config</span>
</div>
<div class="callout warning">
<strong>CLI syntax may vary by firmware version.</strong> The commands above are based on MOXA CLI FW 5.x documentation. If your switch is on a different firmware, the ACL subcommand structure may differ slightly. Verify with <code>acl ?</code> at the config prompt. The web GUI is safer if you're unsure.
</div>
</div>
<!-- ═══════════ STEP 8: VERIFICATION ═══════════ -->
<div class="section-header">
<div class="section-number">8</div>
<h2>Verification Tests</h2>
</div>
<div class="step">
<h3>ACL Display — Confirm Configuration</h3>
<p>After applying both ACLs, navigate to <strong>Security → Access Control List</strong> and verify the display shows both ACLs with correct rule counts and port assignments.</p>
<div class="moxa-ui">
<div class="moxa-titlebar">
<span class="moxa-logo">MOXA</span>
Security > Access Control List — Final State
</div>
<div class="moxa-body" style="flex-direction:column;">
<div class="moxa-content" style="width:100%;">
<h4>Access Control List — Configured</h4>
<table class="moxa-table">
<tr><th>ACL ID</th><th>ACL Name</th><th>Type</th><th>Rules</th><th>Ports Applied (Ingress)</th></tr>
<tr class="highlight-active">
<td style="font-weight:600;">1</td>
<td>SCADA-INGRESS</td>
<td>IP Based</td>
<td>3</td>
<td style="font-weight:600;">G2, Port 9</td>
</tr>
<tr class="highlight-active">
<td style="font-weight:600;">2</td>
<td>IO-INGRESS</td>
<td>IP Based</td>
<td>4</td>
<td style="font-weight:600;">Port 2, 5, 6, 7, 13, G1, G3</td>
</tr>
</table>
</div>
</div>
</div>
</div>
<div class="step">
<h3>Ping Test Matrix</h3>
<p>Run these tests from each zone to confirm isolation. The original 15-point validation plan from the design document still applies — the expected results are identical.</p>
<table class="acl-rules" style="width:100%;">
<thead>
<tr><th>Test</th><th>From</th><th>To</th><th>Expected</th></tr>
</thead>
<tbody>
<tr><td>1</td><td>SCADA server (G2)</td><td>PLC .140</td><td><span class="permit">✓ PASS — Reply</span></td></tr>
<tr><td>2</td><td>I/O device (P2)</td><td>PLC .140</td><td><span class="permit">✓ PASS — Reply</span></td></tr>
<tr><td>3</td><td>SCADA server (G2)</td><td>Any I/O device</td><td><span class="deny">✕ FAIL — Timeout</span></td></tr>
<tr><td>4</td><td>I/O device (P2)</td><td>SCADA server</td><td><span class="deny">✕ FAIL — Timeout</span></td></tr>
<tr><td>5</td><td>SCADA server (G2)</td><td>Switch .142</td><td><span class="permit">✓ PASS — Reply</span></td></tr>
<tr><td>6</td><td>I/O device (P2)</td><td>Switch .142</td><td><span class="permit">✓ PASS — Reply</span></td></tr>
<tr><td>7</td><td>I/O device (P5)</td><td>I/O device (P6)</td><td><span class="permit">✓ PASS — Reply</span></td></tr>
<tr><td>8</td><td>PLC (P15)</td><td>SCADA server</td><td><span class="permit">✓ PASS — Reply</span></td></tr>
<tr><td>9</td><td>PLC (P15)</td><td>Any I/O device</td><td><span class="permit">✓ PASS — Reply</span></td></tr>
</tbody>
</table>
<div class="callout info">
<strong>Why does Test 4 fail?</strong> Even though ACL 2 (IO-INGRESS) Rule 3 permits I/O-to-subnet traffic, the SCADA server's <em>reply</em> would enter G2 where ACL 1 blocks it (DENY rule catches the reply destined for an I/O IP). Without bidirectional flow, the TCP handshake or ping response never completes. This is the ingress-only ACL working as designed — filtering in one direction is sufficient to break connectivity.
</div>
</div>
<!-- ═══════════ STEP 9: SAVE ═══════════ -->
<div class="section-header">
<div class="section-number">9</div>
<h2>Save Configuration to Flash</h2>
</div>
<div class="step">
<div class="nav-path">
System Settings <span class="sep">→</span> System Files <span class="sep">→</span> Configuration Backup and Restore <span class="sep">→</span> Save
</div>
<p>After verifying all tests pass, save the running configuration to flash memory. Then export a backup.</p>
<ul class="checklist">
<li>Click <strong>Save Configuration</strong> in System Files to write to flash</li>
<li>Export configuration backup to local machine (download .ini file)</li>
<li>Label backup: <code>CP4000_MOXA_ACL_SEGMENTED_2026-MM-DD.ini</code></li>
<li>Store backup in project documentation folder and on ABC-02 USB if available</li>
</ul>
<div class="callout warning">
<strong>ACLs should persist in the config export.</strong> Unlike the traffic segmentation matrix (which doesn't exist on this model), ACLs on the EDS-528E are part of the switch configuration and <em>should</em> export into the .ini backup file. Verify by examining the exported file for <code>[ACL]</code> sections after saving.
</div>
</div>
<!-- ═══════════ SUMMARY ═══════════ -->
<div class="section-header">
<div class="section-number">✓</div>
<h2>Summary of Changes vs. Original Plan</h2>
</div>
<div class="step">
<div class="comparison">
<div class="compare-card old">
<h4>✕ Original Plan (Incorrect)</h4>
<p>Traffic Segmentation Matrix under Switching menu. Port-to-port forwarding table. 10×10 matrix with allow/block per port pair.</p>
<p style="margin-top:0.5rem;"><strong>Problem:</strong> Feature does not exist on EDS-528E.</p>
</div>
<div class="compare-card new">
<h4>✓ Corrected Plan (ACL-Based)</h4>
<p>Two IP-based Ingress ACLs under Security → Access Control List. Rule-based filtering by destination IP applied per-port.</p>
<p style="margin-top:0.5rem;"><strong>Result:</strong> Identical isolation. Same validation tests. Same security posture.</p>
</div>
</div>
<table class="acl-rules" style="width:100%;">
<thead><tr><th>Aspect</th><th>Traffic Segmentation (N/A)</th><th>ACL Approach (Correct)</th></tr></thead>
<tbody>
<tr><td>Isolation granularity</td><td>Port-to-port</td><td>IP-to-IP (per-port ingress)</td></tr>
<tr><td>ARP broadcast isolation</td><td>Full (L2 block)</td><td>Partial (IP ACL doesn't filter ARP)</td></tr>
<tr><td>Config exportable</td><td>Unknown / unlikely</td><td>Yes — ACL sections in .ini</td></tr>
<tr><td>Max rules</td><td>N/A</td><td>10 per ACL group</td></tr>
<tr><td>Requires IP knowledge</td><td>No</td><td>Yes — PLC and switch IPs</td></tr>
<tr><td>PLC changes required</td><td>None</td><td>None</td></tr>
<tr><td>IP changes required</td><td>None</td><td>None</td></tr>
</tbody>
</table>
<div class="callout info">
<strong>On ARP visibility:</strong> IP-based ACLs don't filter ARP (which is L2, not L3). SCADA devices will still see ARP broadcasts from I/O devices. This means MAC addresses will populate in the ARP table, but no IP-level communication is possible. For complete L2 isolation, Phase 2 (VLAN segmentation with dual-IP PLC) remains the recommended next step.
</div>
</div>
<div class="footer">
AutoSys LLC — CP4000 MOXA EDS-528E ACL Configuration Guide<br>
Prepared for ICS Network Segmentation Project — Rev 3.0 Amendment<br>
<span style="color:var(--text-muted);">ACL approach verified against MOXA EDS-528E FW 5.x User Manual (UI_2.0)</span>
</div>
</div>
</body>
</html>