HPE Community
Aruba & ProVision-based
1751880 Members
5512 Online
108783 Solutions
New Discussion

Help with ACL's on HP 2920

 
mlltech
Occasional Visitor

‎12-04-2015 06:59 AM - edited ‎12-04-2015 07:02 AM

‎12-04-2015 06:59 AM - edited ‎12-04-2015 07:02 AM

Help with ACL's on HP 2920

Hi all,

I'm fairly new to networking, and I would appreciate any help with configuring ACL's on a HP 2920.

I have several VLAN's, and I want to block communication between some of them, and do some other configurations. In the end, this is what I want to accomplish:

  • Allow all traffic from vlan20 to vlan10
  • Allow all traffic from vlan30 to vlan10
  • Allow traffic on tcp port 8880 from vlan40 to vlan10
  • Deny all traffic from vlan50 to vlan10
  • Allow all traffic from vlan99 to vlan10

 

So, I think this is what I need to configure:

ip access-list extended "VLAN10-In"
permit ip 192.168.20.0/24 192.168.10.0/24
permit ip 192.168.30.0/24 192.168.10.0/24
permit tcp 192.168.40.0/24 192.168.10.0/24 eq 8880
deny ip 192.168.50.0/23 192.168.10.0/24
permit ip 192.168.99.0/24 192.168.10.0/24

(VLAN50 is a /23 network, it's not a typo).

And then, I assume that I have to apply this configuration to the VLAN10 itself, am I right?

Regards

 

0 Kudos
1 REPLY 1
Michael Patmon
Trusted Contributor

‎12-12-2015 07:48 AM

‎12-12-2015 07:48 AM

Re: Help with ACL's on HP 2920

Hello.  2920 supports ingress port and VLAN ACLs.  If your intention is to only allow hosts on VLAN 20, 30, 40 (TCP 8080 only), and 99 to send traffic to VLAN 10 then that ACL will work, but bear in mind those hosts will only be allowed to send traffic with an IP destination of 192.168.10.0/24.  All other IP traffic, DHCP discover packets for example, will be dropped.   And all VLAN 50 traffic will be dropped.

Also remember there is an implicit "deny ip any any" at the end of the ACL so anything not explicitly permitted will be dropped. 

Once you determine what traffic you want to permit you would then apply it on the ingress port (interface x ip access-group y) or VLAN (vlan x ip access-group y).

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.