SOLVED
Hello,
If you need the block the inter-port communication only for a certain VLAN then I think you can check if using an Access Control List can satisfy your requirements. Basically what you could do is apply an ACL which denies incoming traffic destined to other IP addresses in the same VLAN. That way the workstations will only be able to reach destinations in other VLANs or the internet. If you have some server in the same VLAN that should be reachable you can permit traffic to its IP and deny traffic to all other IPs.
According to the last manual, the switch supports port ACL and VLAN ACL.
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04490670&withFrame
Static ACLs
Static ACLs are configured on the switch. To apply a static ACL, you must assign it to an interface
(VLAN or port).
• VLAN ACL (VACL) A VACL is an ACL configured on a VLAN to filter traffic entering the switch
on that VLAN interface and having a destination on the same VLAN.
• Static port ACL A static port ACL is an ACL configured on a port to filter traffic entering the
switch on that port, regardless of whether the traffic is routed, switched, or addressed to a
destination on the switch itself.
You are trying to restrict switched traffic so both options should be applicable. Since both options can be applied for incomming traffic at the port only (not outgoing), you should use an extended ACL in order to be able to specify which destination should be reachable and which not.
You have to keep in mind that the ACLs have an implicit deny rule as last statement. You should make sure that you add a rule at the end of the list permiting all traffic not mathing your restricting rule, permit ip any any.
Hello,
Yes, I usually configure the mask as a wildcard mask 0.0.0.255 but it can be done also this way. The SW transforms the network mask to a wildcard mask so if you enter show access-list DenyUsers2User you should see a wildcard mask.
This seems OK to me but it is always possible that we are missing something. So it is always better to test it on a single port before applying it to all ports. Please apply the ACL to the port where a test workstation is connected and test. This is for example how it can be applied to port 1
config
interface 1 ip access-group DenyUsers2Users in
Test if this workarstation can ping any other workstation.
Of course keep in mind that before the ACL is applied to all ports, connection initiated from other workstations will be allowed, because the ACL can only be applied as inbound.
I just determined that the manual is probably not correct about the support of VLAN ACL on this switch. I will need to double check it.
Hello,
It looks that there is wrong information in the manual. The 2910 switches doesnt support applying ACLs on VLANs. Static ACLs can only be applied to ports in inbound direction.
Hello
We have to keep in mind that this ACL is applied on the workstation ports of the 2910 and they are applied in inbound direction. So they control only traffic going from the workstation to the switch. Not from the switch to client. If the workstations need to reach the DHCP servers 192.168.20.1 and 192.168.20.254 the entries 10 and 20 are necessary. You have also added an entry 40 permiting return traffic from 192.168.20.254 to any ip. The return traffic will be sent from the switch to the workstations ports in outbound direction and the ACL will not control it. So for me this entry is only necessary if the ACL will be applied to the port where 192.168.20.254 is connected. If you dont apply the ACL to the ports where .1 and .254 are connected this entry is not needed because the switch will not controll outgoing traffic to the workstations and all traffic will be permitted.