- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- VLAN access control list
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-05-2018 05:24 AM
10-05-2018 05:24 AM
VLAN access control list
Hi,
My company has purchased a HP Aruba 2930M 24 ports switch and i am a newbie on configuring HP Aruba switches.
i would like to understand more on VLAN access control list and IP access group usage.
Please help and guide me to learn this as i am having trouble on configuring the VLAN access control list and IP access group
Thank you very much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-09-2018 06:00 AM
10-09-2018 06:00 AM
Re: VLAN access control list
Hi,
To create a VLAN-based ACL, an access list needs to be created just the way it is created for a port-based ACL (PACL). For example the following access list named TESTVACL, will block all IP packets from host 192.168.2.10 to host 192.168.2.50, while allowing all other traffic:
Aruba(config)# ip access-list extended TESTVACL
Aruba(config-ext-nacl)# deny ip host 192.168.2.10 host 192.168.2.50
Aruba(config-ext-nacl)# permit ip any any
Aruba(config-ext-nacl)# exit
Suppose that both source and destination IP addresses in the ACL above are in VLAN 2 (192.168.2.0/24). Then the ACL TESTRACL can be applied to the VLAN 2 interface this way:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTVACL vlan
Aruba(vlan-2)# exit
Notice the keyword vlan at the end of the ip access-group command. This keyword has to be used when both source and destination IP addresses belong to the same VLAN. In this case, the ACL is called a VLAN ACL, or VACL. If, instead of the keyword vlan, the keyword in is used like below:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTVACL in
Aruba(vlan-2)# exit
Then the ACL will not filter out anything and host 192.168.2.10 can still talk to host 192.168.2.50.
The keywords in and out only work when the source and destination IP addresses belong to different VLANs. In this case the ACL is called a Routed IP ACL (RACL). Consider the example below:
Aruba(config)# ip access-list extended TESTRACL
Aruba(config-ext-nacl)# deny ip host 192.168.2.10 host 192.168.3.150
Aruba(config-ext-nacl)# permit ip any any
Aruba(config-ext-nacl)# exit
In this case the source host is in VLAN 2 (192.168.2.0/24) while the destination host is in VLAN 3 (192.168.3.0/24). We can apply this ACL as follows:
Aruba(config)# vlan 2
Aruba(vlan-2)# ip access-group TESTRACL in
Aruba(vlan-2)# exit
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-09-2018 08:00 AM
10-09-2018 08:00 AM
Re: VLAN access control list
Hi @Anuragt85, in my opinion what you wrote is exactly what was described by this HP Support Information (some years ago, I presume)...if so - if I'm not mistaken - why not to cite that very original source?
I'm not an HPE Employee

Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP