ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Help with ACL's on HP 2920

mlltech
Occasional Visitor

Help with ACL's on HP 2920

Hi all,

I'm fairly new to networking, and I would appreciate any help with configuring ACL's on a HP 2920.

I have several VLAN's, and I want to block communication between some of them, and do some other configurations. In the end, this is what I want to accomplish:

  • Allow all traffic from vlan20 to vlan10
  • Allow all traffic from vlan30 to vlan10
  • Allow traffic on tcp port 8880 from vlan40 to vlan10
  • Deny all traffic from vlan50 to vlan10
  • Allow all traffic from vlan99 to vlan10

 

So, I think this is what I need to configure:

ip access-list extended "VLAN10-In"
permit ip 192.168.20.0/24 192.168.10.0/24
permit ip 192.168.30.0/24 192.168.10.0/24
permit tcp 192.168.40.0/24 192.168.10.0/24 eq 8880
deny ip 192.168.50.0/23 192.168.10.0/24
permit ip 192.168.99.0/24 192.168.10.0/24

(VLAN50 is a /23 network, it's not a typo).

And then, I assume that I have to apply this configuration to the VLAN10 itself, am I right?

Regards

 

1 REPLY
Michael Patmon
Trusted Contributor

Re: Help with ACL's on HP 2920

Hello.  2920 supports ingress port and VLAN ACLs.  If your intention is to only allow hosts on VLAN 20, 30, 40 (TCP 8080 only), and 99 to send traffic to VLAN 10 then that ACL will work, but bear in mind those hosts will only be allowed to send traffic with an IP destination of 192.168.10.0/24.  All other IP traffic, DHCP discover packets for example, will be dropped.   And all VLAN 50 traffic will be dropped.

Also remember there is an implicit "deny ip any any" at the end of the ACL so anything not explicitly permitted will be dropped. 

Once you determine what traffic you want to permit you would then apply it on the ingress port (interface x ip access-group y) or VLAN (vlan x ip access-group y).