- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: VLAN access control list
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2018 05:24 AM
10-05-2018 05:24 AM
VLAN access control list
Hi,
My company has purchased a HP Aruba 2930M 24 ports switch and i am a newbie on configuring HP Aruba switches.
i would like to understand more on VLAN access control list and IP access group usage.
Please help and guide me to learn this as i am having trouble on configuring the VLAN access control list and IP access group
Thank you very much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2018 06:00 AM
10-09-2018 06:00 AM
Re: VLAN access control list
Hi,
To create a VLAN-based ACL, an access list needs to be created just the way it is created for a port-based ACL (PACL). For example the following access list named TESTVACL, will block all IP packets from host 192.168.2.10 to host 192.168.2.50, while allowing all other traffic:
Aruba(config)# ip access-list extended TESTVACL
Aruba(config-ext-nacl)# deny ip host 192.168.2.10 host 192.168.2.50
Aruba(config-ext-nacl)# permit ip any any
Aruba(config-ext-nacl)# exit
Suppose that both source and destination IP addresses in the ACL above are in VLAN 2 (192.168.2.0/24). Then the ACL TESTRACL can be applied to the VLAN 2 interface this way:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTVACL vlan
Aruba(vlan-2)# exit
Notice the keyword vlan at the end of the ip access-group command. This keyword has to be used when both source and destination IP addresses belong to the same VLAN. In this case, the ACL is called a VLAN ACL, or VACL. If, instead of the keyword vlan, the keyword in is used like below:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTVACL in
Aruba(vlan-2)# exit
Then the ACL will not filter out anything and host 192.168.2.10 can still talk to host 192.168.2.50.
The keywords in and out only work when the source and destination IP addresses belong to different VLANs. In this case the ACL is called a Routed IP ACL (RACL). Consider the example below:
Aruba(config)# ip access-list extended TESTRACL
Aruba(config-ext-nacl)# deny ip host 192.168.2.10 host 192.168.3.150
Aruba(config-ext-nacl)# permit ip any any
Aruba(config-ext-nacl)# exit
In this case the source host is in VLAN 2 (192.168.2.0/24) while the destination host is in VLAN 3 (192.168.3.0/24). We can apply this ACL as follows:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTRACL in
Aruba(vlan-2)# exit
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2018 08:00 AM
10-09-2018 08:00 AM
Re: VLAN access control list
Hi @Anuragt85, in my opinion what you wrote is exactly what was described by this HP Support Information (some years ago, I presume)...if so - if I'm not mistaken - why not to cite that very original source?
I'm not an HPE Employee