I'm fairly new to networking, and I would appreciate any help with configuring ACL's on a HP 2920.
I have several VLAN's, and I want to block communication between some of them, and do some other configurations. In the end, this is what I want to accomplish:
Allow all traffic from vlan20 to vlan10
Allow all traffic from vlan30 to vlan10
Allow traffic on tcp port 8880 from vlan40 to vlan10
Deny all traffic from vlan50 to vlan10
Allow all traffic from vlan99 to vlan10
So, I think this is what I need to configure:
ip access-list extended "VLAN10-In" permit ip 192.168.20.0/24 192.168.10.0/24 permit ip 192.168.30.0/24 192.168.10.0/24 permit tcp 192.168.40.0/24 192.168.10.0/24 eq 8880 deny ip 192.168.50.0/23 192.168.10.0/24 permit ip 192.168.99.0/24 192.168.10.0/24
(VLAN50 is a /23 network, it's not a typo).
And then, I assume that I have to apply this configuration to the VLAN10 itself, am I right?
Hello. 2920 supports ingress port and VLAN ACLs. If your intention is to only allow hosts on VLAN 20, 30, 40 (TCP 8080 only), and 99 to send traffic to VLAN 10 then that ACL will work, but bear in mind those hosts will only be allowed to send traffic with an IP destination of 192.168.10.0/24. All other IP traffic, DHCP discover packets for example, will be dropped. And all VLAN 50 traffic will be dropped.
Also remember there is an implicit "deny ip any any" at the end of the ACL so anything not explicitly permitted will be dropped.
Once you determine what traffic you want to permit you would then apply it on the ingress port (interface x ip access-group y) or VLAN (vlan x ip access-group y).
