ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 2920-48g problem with acl assignment

SOLVED
Go to solution
Clem58
Occasional Contributor

HP 2920-48g problem with acl assignment

Hello,

 

I've got a problem with ACL, when I want to assign it in a vlan, when I type the command :

 

vlan 172 ip access-group vpacl in

 

It tells me :

 

Invalid input: in

 

 

Can you help me ?

 

Thx

11 REPLIES
Vince-Whirlwind
Honored Contributor

Re: HP 2920-48g problem with acl assignment

Should that be

int vlan 172

?

Clem58
Occasional Contributor

Re: HP 2920-48g problem with acl assignment

Same problem with "int"

 

SWITCH-48-ARES(config)# int vlan 172 ip access-group vpacl in
Invalid input: in

 

 

Vince-Whirlwind
Honored Contributor

Re: HP 2920-48g problem with acl assignment

Is ip routing enabled?

Clem58
Occasional Contributor

Re: HP 2920-48g problem with acl assignment

Yes IP-Routing is enabled.

 

Here is the config of the switch (core for our network) :

 

Running configuration:

; J9728A Configuration Editor; Created on release #WB.15.13.0005
; Ver #05:08.e3.ff.35.0d:29

hostname "SWITCH-48-ARES"
module 1 type j9728a
trunk 1-2 trk2 lacp
trunk 47-48 trk3 lacp
telnet-server listen data
web-management listen data
ip ssh listen data
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip routing
interface 1
   name "trk2 vers salle serveurs"
   exit
interface 2
   name "trk2 vers salle serveurs"
   exit
interface 47
   name "trk3 vers sw vlan 6"
   exit
interface 48
   name "trk3 vers sw vlan 6"
   exit
snmp-server community "public" unrestricted
snmp-server listen data
oobm
   disable
   ip address dhcp-bootp
   exit
router rip
   redistribute connected
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 3,45-46
   untagged 4-44,A1-A2,B1-B2
   tagged Trk2-Trk3
   ip address 192.168.1.20 255.255.255.0
   exit
vlan 6
   name "lan6"
   untagged 45-46
   tagged Trk2-Trk3
   ip address 192.168.6.1 255.255.255.0
   ip helper-address 192.168.1.2
   exit
vlan 10
   name "Admin"
   untagged 3
   tagged Trk2-Trk3
   ip address 192.168.10.254 255.255.255.0
   exit
vlan 172
   name "vlanvp"
   tagged Trk3
   ip address 172.16.1.254 255.255.255.0
   exit
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
no tftp server
tftp server listen data
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator

vlan 172 (vlanvp) is for video protection lan, only, we want only some IPs to access this vlan, example : 192.168.6.134

 

I can't find out how to do this ..

forgeddit
Established Member

Re: HP 2920-48g problem with acl assignment

In that case you are applying the acl in the wrong direction anyway.

 

What you need is to apply that acl as "in" on each of the *other* VLAN interfaces.

 

I wonder if it won't let you because you don't have any live ports in the VLAN or something?

Michael Patmon
Trusted Contributor

Re: HP 2920-48g problem with acl assignment

Hello.  On WB.15.13 port and VLAN ingress ACLs are the only ones available to you.  Router ACLs, that is ACLs with a direction of "in" or "out" in the VLAN context, are not supported.  As forgeddit mentioned you could apply the ACL to each of the other VLANs to filter on ingress.  Something like:

 

ip access-list extended "100"
   10 permit ip 192.168.6.134 0.0.0.0 0.0.0.0 255.255.255.255
   20 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

   exit

vlan 1 ip access-group 100 vlan

vlan 6 ip access-group 100 vlan

vlan 10 ip access-group 100 vlan

 

 

Router ACLs were added to 2920 in WB.15.18 if upgrading the software is an option.  You could take the same ACL and apply it to your egress VLAN 172:

 

vlan 172 ip access-group 100 out

 

 

Clem58
Occasional Contributor

Re: HP 2920-48g problem with acl assignment

Hello,

I've updated my switches, they are in version WB.15.18.0007, ROM WB.15.05

For ACL now I just have "vlan-in" configuration :

ex :
SWITCH-48-ARES(vlan-172)# ip access-group 100
 vlan-in               Apply the IPv4 ACL for bridged and routed inbound
                       packets on this VLAN.
SWITCH-48-ARES(vlan-172)# ip access-group 100

I don't have "in" or "out" options.
I still want only some IP's accessing VLAN 172, 192.168.6.134 is one of them.

I'm lost now, I still cannot use ACL with my 2920-48G.

Clem58
Occasional Contributor
Solution

Re: HP 2920-48g problem with acl assignment

Ok I've finally found how to make it working :

I've created an extended ACL for filtering VLAN in :

ip access-list extended vp
10 permit ip 172.16.1.0/24 192.168.6.0/24
wr mem
exit

vlan 172
ip access-list vp vlan-in
wr mem
exit

This one permit all host in 192.168.6.0 to access 172.16.1.0 and deny for all others.

If I want to only accept one host IP (192.168.6.134), I can too with the "magical" host option ! Then :

ip access-list extended vp
10 permit ip 172.16.1.0/24 host 192.168.6.134
wr mem
exit

If I want another IP to access vlan 172 I can add a line in access-list vp :

20 permit ip 172.16.1.0/24 host 192.168.6.189

Last thing, I can too accept only one host ip to one host ip in vlan 172, like 172.16.1.1, I just have to add before it, "host" :

20 permit ip host 172.16.1.1 host 192.168.6.189

So with last firmware I can do whatever I want, that's cool !

Thanks

 

RTA85
Visitor

Re: HP 2920-48g problem with acl assignment

I was just curious if anyone knows if the same commands are supported on the 2910al-48G-PoE Switch. I am running into the same sort of issues, however, haven't updated the firmware to the latest version yet. 

PeterKna
Occasional Contributor

Re: HP 2920-48g problem with acl assignment

No it is not possible. The 2910al can only do port based ACLs not VLAN based...

I try to find a solution myself right now.

RTA85
Visitor

Re: HP 2920-48g problem with acl assignment

Thanks for the information, let me know what you come up with if it's even viable. I will do the same.