LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Configure ACL to allow access to internet

akj501
Occasional Visitor

Configure ACL to allow access to internet

Hi All,

I am hitting my head against a wall on this one.. any help would be very much appreciated.

Configuration

I currently have a HP 2920 Switch, and have 2 Vlans configured on this switch.

Vlan 40 and Vlan 60 - They are both used for Guest and Staff wireless access.

I have configured Vlan 40 with an ACL called "Vlan-40-ACL" and I have also configured vlan 60 with an ACL called "Vlan-60-ACL" - I have applied both the ACL's to the relevant VLans

Vlan 40 Address is configured as - 10.19.72.2 255.255.248.0

Vlan 60 Address is configured as - 10.19.88.2 255.255.252.0

Router Default Gateway - 10.18.168.1

DHCP Server - 10.18.168.14

DNS Server - 10.18.168.14

Radius Server 1 - 10.18.168.15

Radius Server 2 - 10.18.168.17

IP Routing is configured on the switch.

From a connectivity point of view I have the switch working the way I want, I just want to lock down each Vlan with an ACL while maintaining access to the router,dhcp,dns,radius etc on the default vlan (vlan 1)

When configuring either ACL with the following commands:    

  • 10 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
  • 40 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
  • 50 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
  • 60 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53

I am still unable to connect to the internet from a client via this configuration.

Is anyone able to point me in the right direction? I am smashing my head against a wall on this one

Switch configuration

Text
hostname "HP-Stack-2920"
trunk 2/19 trk2 trunk
timesync sntp
sntp unicast
sntp server priority 1 10.18.168.13
sntp server priority 2 86.19.119.81
no telnet-server
web-management ssl
ip access-list extended "Vlan-40-ACL"
   exit
ip access-list extended "Vlan-60-ACL"
   exit
ip default-gateway 10.18.168.1
ip route 0.0.0.0 0.0.0.0 10.18.168.1
ip routing
interface 2/19
   name "Internet Out - LightSpeed"
   speed-duplex 100-full
   exit
snmp-server community "public" unrestricted
oobm
   ip address dhcp-bootp
   member 1
      ip address dhcp-bootp
      exit
   member 2
      ip address dhcp-bootp
      exit
   member 3
      ip address dhcp-bootp
      exit
   member 4
      ip address dhcp-bootp
      exit
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 2/23-2/24
   untagged
 1/1-1/8,1/10-1/48,1/A1-1/A2,1/B1-1/B2,2/1-2/18,2/20-2/22,2/25-2/48,2/A1-2/A2,2/
B1-2/B2,3/1-3/48,3/A1-3/A2,3/B1-3/B2,4/1-4/48,4/A1-4/A2,4/B1-4/B2,Trk2
   tagged 1/9
   ip address 10.18.171.2 255.255.252.0
   exit
vlan 40
   name "Guest BYOD"
   untagged 2/24
   tagged 1/43,2/A2,4/9,4/11,4/13,4/15,4/19,4/26,Trk2
   ip access-group "Vlan-40-ACL" vlan
   ip address 10.19.72.2 255.255.248.0
   ip helper-address 10.18.168.13
   ip helper-address 10.18.168.14
   exit
vlan 60
   name "Staff BYOD"
   untagged 2/23
   tagged 1/43,2/A2,4/9,4/11,4/13,4/15,4/19,4/26,Trk2
   ip access-group "Vlan-60-ACL" vlan
   ip address 10.19.88.2 255.255.252.0
   ip helper-address 10.18.168.13
   ip helper-address 10.18.168.14
   exit
spanning-tree Trk2 priority 4
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager

Please help!

1 REPLY
Vince-Whirlwind
Honored Contributor

Re: Configure ACL to allow access to internet

Not sure what this does,

   ip access-group "Vlan-60-ACL" vlan

But personally, I would use,

   ip access-group "Vlan-60-ACL" in