Can tags be used on hosts behind a Subnet Router?

I’m guessing the answer is no…

I’d like to tag a collection of hosts that are accessed via a single Subnet Router in order to simplify our ACLs.

Is there any other way to group hosts together in an ACL, similar to the way users can be grouped?


Tags are only set by the client when the client starts up and so are only available on things running the client. Hosts from a routed subnet won’t have the client on them so they don’t show up as clients in the console and can’t have tags associated with them.

But you can have rules that address the entire subnet. (or smaller subnets of all routed subnets) For example:

  "hosts": { "server-subnet": "" },
  "acls": [
      "action": "accept",
      "users": [ "*" ],
      "ports": [ "server-subnet:*" ]