LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 2920 Inter VLAN Routing

 
SOLVED
Go to solution
dave_fluffy
Occasional Advisor

HP 2920 Inter VLAN Routing

Afternoon All

 

Been looking for an answer for this all week and reading loads of forum posts but cannot figure this out. Im sure its an easy fix for this community !

 

So I have a HP Switch 2920 J9729A that is going into a managed service office. The idea is to split into VLANS with own subnets so clients can talk to the router and shared devices (copiers) on VLAN1 but then cannot see each others companies on their VLAN.

 

So I have a draytek router on port 1, 172.16.1.254 (vlan1) and VLAN2 (172.17.1.0/16) VLAN3 (172.18.1.0/16)

 

So I got that part working ok with my current config (attached). When I put devices into relevant ports PC in port 8 and PC in port 13 they get their respective IP's ok .. but they can communicte with each other (which is not what I want!)

 

So I looked into setting up a ACL, which I can do ok, but I cannot apply the ACL to a VLAN.

 

Am I going about this the right way ?

13 REPLIES
ZewaZebra1
Occasional Advisor

Re: HP 2920 Inter VLAN Routing

Same problem, I really hope someone can help here.. I have been searching for quite along time now.

Pete W
Valued Contributor

Re: HP 2920 Inter VLAN Routing

Dave,

 

Firstly - the subnet masks in your DHCP scopes are /24s, however the VLAN interface that they are applied to are /16s. This would not break your network as it stands - but worth fixing anyway.

 

In answer to your query, the 2920 does NOT offer RACLS (routed ACLs), however it does offer VACLs (VLAN ACLS) and PACLS (Port ACLs). You could probably get the results that you need by applying a carefully written VACL, however the ACL would then be applied to every ingress frame on that VLAN on the switch, regardless of it's destination -  and that includes intra-VLAN traffic.

 

The configuration guide which documents the VACLs is the "Access Security Guide" which can be found at  http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04490669-3.pdf

ACL configuration starts on page 230, and VACL configuration is on page 231.

 

Regards,

 

Pete

HPE MASE
Aruba ACMP
Fortinet NSE 1-7
Cisco CCNP
dave_fluffy
Occasional Advisor

Re: HP 2920 Inter VLAN Routing

Ok, really sorry but not making much sense of this document.

 

I can see command

 

vlan <vid> ip access-group <identifier> vlan

 

But not sure how apply that .. please help !

 

dave_fluffy
Occasional Advisor

Re: HP 2920 Inter VLAN Routing

I found this,

 

http://vmfocus.com/2012/10/14/how-to-configure-access-lists-route-between-vlans-on-hp-v1910-24g/

 

but from my Web interface looks totally different, I dont get any of the options...

dave_fluffy
Occasional Advisor

Re: HP 2920 Inter VLAN Routing

HI All

 

Im kind of 90% of the way there now .. when PCs are on VLAN2 or VLAN3 they cannot ping each other but they cannot reach the default GW. Im pretty sure its a DrayTek config issue. Any dieas ?

 

Please help !

 

Vince-Whirlwind
Honored Contributor

Re: HP 2920 Inter VLAN Routing

so maybe just add in something like:

 

ip access-list standard Vlan2

   deny 172.18.0.0 0.0.255.255

   permit 0.0.0.0 255.255.255.255

 

ip access-list standard Vlan3

   deny 172.17.0.0 0.0.255.255

   permit 0.0.0.0 255.255.255.255

 

vlan 2
   ip access-group Vlan2 in

 

vlan 3
   ip access-group Vlan3 in

Vince-Whirlwind
Honored Contributor

Re: HP 2920 Inter VLAN Routing

Oops, I only read your first post.

I can see your config has moved on a bit - but the "router" option you are handing in in both your DHCP scopes is an address that doesn't even belong to the scope's subnet.

That explains why nothing can communicate outside its own subnet.

Vince-Whirlwind
Honored Contributor
Solution

Re: HP 2920 Inter VLAN Routing

ip access-list standard Vlan2
   deny 172.16.3.0 0.0.0.255
   permit 0.0.0.0 255.255.255.255

ip access-list standard Vlan3
deny 172.16.2.0 0.0.0.255
permit 0.0.0.0 255.255.255.255

vlan 2
ip access-group Vlan2 in

vlan 3
ip access-group Vlan3 in

dave_fluffy
Occasional Advisor

Re: HP 2920 Inter VLAN Routing

Thanks for the Reply

 

I managed to get this working, you are correct about the Default Gateway on the subnet, but i found this switch cannot apply a access-list to a vlan so had to do it per port which is a pain, but when done right works really well.

 

If anyone wants the config let me know, happy to share

Pete W
Valued Contributor

Re: HP 2920 Inter VLAN Routing

To avoid having to put the ACL on every interface (PACL), you could put it on the VLAN something like this:

 

ip access-list extended Vlan2_ACL

   permit ip any 172.16.2.0 0.0.0.255

   deny ip any 172.16.0.0 0.15.255.255

   permit ip 0.0.0.0 255.255.255.255

 

ip access-list extended Vlan3_ACL

   permit ip any 172.16.3.0 0.0.0.255

   deny ip any 172.16.0.0 0.15.255.255

   permit ip any any

 

vlan 2
ip access-group Vlan2_ACL vlan

vlan 3
ip access-group Vlan3_ACL vlan

 

Pete

HPE MASE
Aruba ACMP
Fortinet NSE 1-7
Cisco CCNP
Little_Love
Occasional Visitor

Re: HP 2920 Inter VLAN Routing

How did you make it work?

dave_fluffy
Occasional Advisor

Re: HP 2920 Inter VLAN Routing

PM me, and ill email you the config

rahulsinhaniya
Occasional Visitor

Re: HP 2920 Inter VLAN Routing

Could you please share the config with us ? I am having the same problem