HPE Community
Aruba & ProVision-based
1752815 Members
5964 Online
108789 Solutions
New Discussion

Re: VLAN access control list

 
raymond_yeo
Visitor

‎10-05-2018 05:24 AM

‎10-05-2018 05:24 AM

VLAN access control list

Hi, 

My company has purchased a HP Aruba 2930M 24 ports switch and i am a newbie on configuring HP Aruba switches.

i would like to understand more on VLAN access control list and IP access group usage. 

Please help and guide me to learn this as i am having trouble on configuring the VLAN access control list and IP access group 

Thank you very much.

0 Kudos
2 REPLIES 2
Anuragt85
HPE Pro

‎10-09-2018 06:00 AM

‎10-09-2018 06:00 AM

Re: VLAN access control list

Hi,

To create a VLAN-based ACL, an access list needs to be created just the way it is created for a port-based ACL (PACL). For example the following access list named TESTVACL, will block all IP packets from host 192.168.2.10 to host 192.168.2.50, while allowing all other traffic:

 

Aruba(config)# ip access-list extended TESTVACL

Aruba(config-ext-nacl)# deny ip host 192.168.2.10 host 192.168.2.50

Aruba(config-ext-nacl)# permit ip any any

Aruba(config-ext-nacl)# exit

 Suppose that both source and destination IP addresses in the ACL above are in VLAN 2 (192.168.2.0/24). Then the ACL TESTRACL can be applied to the VLAN 2 interface this way:

 Aruba(config)# vlan 2

Aruba(vlan-2)# ip access-group TESTVACL vlan

Aruba(vlan-2)# exit

 Notice the keyword vlan at the end of the ip access-group command. This keyword has to be used when both source and destination IP addresses belong to the same VLAN. In this case, the ACL is called a VLAN ACL, or VACL. If, instead of the keyword vlan, the keyword in is used like below:

 Aruba(config)# vlan 2

Aruba(vlan-2)# ip access-group TESTVACL in

Aruba(vlan-2)# exit

 Then the ACL will not filter out anything and host 192.168.2.10 can still talk to host 192.168.2.50.

 The keywords in and out only work when the source and destination IP addresses belong to different VLANs. In this case the ACL is called a Routed IP ACL (RACL). Consider the example below:

 Aruba(config)# ip access-list extended TESTRACL

Aruba(config-ext-nacl)# deny ip host 192.168.2.10 host 192.168.3.150

Aruba(config-ext-nacl)# permit ip any any

Aruba(config-ext-nacl)# exit

 In this case the source host is in VLAN 2 (192.168.2.0/24) while the destination host is in VLAN 3 (192.168.3.0/24). We can apply this ACL as follows:

 Aruba(config)# vlan 2

Aruba(vlan-2)# ip access-group TESTRACL in

Aruba(vlan-2)# exit

 

I am an HPE employee

Accept or Kudo

parnassus
Honored Contributor

‎10-09-2018 08:00 AM

‎10-09-2018 08:00 AM

Re: VLAN access control list

Hi @Anuragt85, in my opinion what you wrote is exactly what was described by this HP Support Information (some years ago, I presume)...if so - if I'm not mistaken - why not to cite that very original source?


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.