Aruba & ProVision-based
1748267 Members
3796 Online
108760 Solutions
New Discussion

VLAN ACL HP 2920-48G

 
jocef
Occasional Visitor

VLAN ACL HP 2920-48G

I have two VLAN. VLAN100 and VLAN200.

VLAN100 should have access to 192.168.20.0/24, 192.168.0.0/24 and block all other 192168.0.0/16 ,172.16.0.0/16 and 10.0.0.0/8 networks and allow Internet access.

VLAN200 should not have access to nothing, only replie to traffic coming from VLAN100.

I am trying to ping from VLAN100 to VLAN200 but with out success.

 

hostname "HP-2920-48G"
module 1 type j9728a
ip access-list extended "vlan100"
     10 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
     100 permit ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
     300 deny ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255 log
     310 deny ip 0.0.0.0 255.255.255.255 172.16.0.0 0.0.255.255 log
     320 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255 log
     400 permit ip 192.168.0.0 0.0.0.255 0.0.0.0 255.255.255.255
   exit
ip access-list extended "vlan200"
     10 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
   exit
ip default-gateway 192.168.0.1
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip routing
snmp-server community "public" unrestricted
oobm
   ip address dhcp-bootp
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1,20
   untagged 2-19,21-48
   no ip address
   exit
vlan 100
   name "VLAN100"
   untagged 1
   ip access-group "vlan100" vlan-in
   ip address 192.168.0.205 255.255.255.0
   exit
vlan 200
   name "VLAN200"
   untagged 20
   ip access-group "vlan200" vlan-in
   ip address 192.168.20.1 255.255.255.0
   exit
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager

What is the right solution for my access-list?

 

 

1 REPLY 1
jocef
Occasional Visitor

Re: VLAN ACL HP 2920-48G

I think i have solved the problem.

ip access-list extended "vlan200"
     10 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
     20 permit icmp 192.168.20.0 0.0.0.255 0.0.0.0 255.255.255.255
     100 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established
     900 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit