HPE Community
Switches, Hubs, and Modems
1753364 Members
5300 Online
108792 Solutions
New Discussion юеВ

2910 al ACL

 
SjoerdvW
Advisor

тАО06-22-2009 11:57 AM

тАО06-22-2009 11:57 AM

2910 al ACL

I have a Procurve 2910al switch with 2 VLANs:
VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
Is it possible to block the traffic from VLAN 10 to VLAN 20, but allow traffic from VLAN 20 to VLAN 10. It seems i need to use the established command in the ACL, but can't seem to get this to work.
0 Kudos
6 REPLIES 6
Pieter 't Hart
Honored Contributor

тАО06-22-2009 11:42 PM

тАО06-22-2009 11:42 PM

Re: 2910 al ACL

you need two acl's
one permitting trafic from vlan10 to vlan20
another permitting trafic from vlan20 to vlan10 "established".
so only reverse traffic from vlan20 to vlan10 is alowed when first a connection was initiated from vlan10.

Pieter
0 Kudos
SjoerdvW
Advisor

тАО06-24-2009 12:54 AM

тАО06-24-2009 12:54 AM

Re: 2910 al ACL

Hello Pieter,

Thnx for you're reply. However. I don't see why I need 2 ACLs. At this moment VLAN10 & VLAN20 can communicate with eachother, so why should I create an ACL permitting trafic from vlan10 to vlan20?

Do you have an working example from the 2nd ACL? Can't get this to work...
0 Kudos
Pieter 't Hart
Honored Contributor

тАО06-24-2009 06:42 AM

тАО06-24-2009 06:42 AM

Re: 2910 al ACL

you are right, this answer is a "general" setup.
if you only want to limit acces one way and alow it all the other way, then one acl will do.

BTW I looked deeper in the doc's for the 2900 series but found no reference to acl's or the "established" option; only "port-based access-control".

are you sure the 2910 understands ACL's?
0 Kudos
Pieter 't Hart
Honored Contributor

тАО06-24-2009 06:57 AM

тАО06-24-2009 06:57 AM

Re: 2910 al ACL

sorry for previous post
the 2900 series does not seem to include the "2910al".
this has another documentation set in wich acls and "established" are documented.

http://www.hp.com/rnd/support/manuals/2910.htm

is this the model you are referring to ?

Pieter
0 Kudos
SjoerdvW
Advisor

тАО06-25-2009 11:08 PM

тАО06-25-2009 11:08 PM

Re: 2910 al ACL

Hello Pieter,
Thats the model Im referring to.

After playing around for a while I managed to create an access list, that seems to do what i want.
For those of you interested:

ip access-list extended "110"
10 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 established
20 permit udp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 0
40 deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
50 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

After this I had to bind the ACL to al the interfaces untagged in this vlan. (strange I cant bind it to the VLAN itself).

int 1-12
ip access-group "110" in
exit
0 Kudos
SjoerdvW
Advisor

тАО06-25-2009 11:19 PM

тАО06-25-2009 11:19 PM

Re: 2910 al ACL

Closing question
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.