I’m sure this is simple, but I just can’t quite wrap my head around it. I’m looking to tag devices as follows:
customer: these are client devices, like Synology NASs and Linux servers.
management: these are our user devices, like my Macbook and our main Synology that uses CMS to talk to our client NASs.
corp: these are our internal servers, usually Linux and a few Windows.
In terms of access control, I want to be able to specify that devices tagged customer cannot reach eachother or corp and can reach devices on management over specific ports. Devices tagged management can access all devices tagged customer and corp over specific ports. Any help would be appreciated.
That’s all quite workable, though be aware once you tag a device it’s no longer associated with the user who logged it on (who has to have permission to tag it). If your customer devices are all being logged in by different people you may be best off leaving them untagged so that you can tell them apart. That also gives you the option for all devices of a particular customer to be able to talk to each other, but not to any other customer’s devices. If you’re logging everyhing in with a central account, then carry on with the tagging, but you’ll probably want to make sure you understand the licensing model in that case, depending on the number of devices you are connecting.
After that, just remember that the ACL is default deny so anything you don’t actively give permission to isn’t permitted and it should be relatively simple to set up the ACL to do what you want. If you want further advice though, you may need to ask some more specific questions.
Make sure you add some tests in early on - that can help make sure you don’t accidentally give permission between customers that you shouldn’t.