HPE Community
Web and Unmanaged
1752794 Members
6318 Online
108789 Solutions
New Discussion юеВ

HP 1920 Switch VLAN acl/qos

 
lucaliga
Visitor

тАО05-10-2018 08:59 AM

тАО05-10-2018 08:59 AM

HP 1920 Switch VLAN acl/qos

Like many others HP 1920-24G Switch (JG924A) owners I have problems trying to isolate traffic between VLANs.
Firmware is JG924A-CMW520-R1119 and release notes stated:

Starting JG924A-CMW520-R1105
Modified features include: An ACL can be applied to multiple ports or VLANs

In cli command "interface Vlan-interface90" dont allow "packet-filter" command but only "qos".
Anyway applying command "qos apply policy VLAN90p inbound" returns:
Error: Setting qos policy failed.
Reason: Not supported by hardware.

I have two VLAN:
VLAN1 10.0.2.0/24 production where is the firewall for Internet 10.0.2.254
VLAN90 172.16.90.0/24 wifi guest DHCP relay to DHCP server 10.0.2.12 with scope 172.16.90.0/24 and releasing option gateway/router 10.0.2.254 DNS server 10.0.2.254
Obviously I want client wifi guest only access to Internet through 10.0.2.254, deny access to any other networks.
All Vlans are already created, each vlan with an IP so I can route between VLAN's each other and to Internet.
Here's the part of my config:
#
 version 5.20.99, Release 1119
#
 sysname HP-1920G-Switch2
#
 dhcp relay server-group 1 ip 10.0.2.12
#
interface Vlan-interface1
 ip address 10.0.2.52 255.255.255.0
#
interface Vlan-interface90
 ip address 172.16.90.1 255.255.255.0
 dhcp select relay
 dhcp relay server-select 1
#
 ip route-static 0.0.0.0 0.0.0.0 10.0.2.254
#
interface GigabitEthernet1/0/22
 port link-type trunk
 port trunk permit vlan 1 90
 port auto-power-down
 stp edged-port enable

In port 22 I connected one access point TP-Link EAP225 (VLAN aware) with two SSID:
SSID        VLAN
VLAN80        0 (means default VLAN 1)
VLAN90        90
thus link-type trunk needed to carry diffferent VLAN ID. VLAN80 is only SSID name but is on VLAN id 1.

All works like a charm and when a wifi client connect to network SSID VLAN90 got IP from DHCP ip 172.16.90.x this means to me VLAN config and related DHCP relay work fine. The client reach both VLAN1 devices and Internet. Now I want to isolate the VLAN 90 and I made these configuration on switch:

#
acl number 3500
 description guest wifi VLAN90
 rule 3 permit udp destination-port range bootps bootpc
#
traffic classifier VLAN90 operator and
 if-match acl 3500
#
traffic behavior VLAN90b
 filter permit
#
qos policy VLAN90p
 classifier VLAN90 behavior VLAN90b

the acl configuration now is not correct but it is not important because any kind of deny/permit in ACL I set anyway I got:

[HP-1920G-Switch2-Vlan-interface90]qos apply policy VLAN90p inbound
Error: Setting qos policy failed.
Reason: Not supported by hardware.

The correct ACL I suppose will be :
acl number 3500
 description guest wifi VLAN90
 rule 3 permit udp destination-port range bootps bootpc
 rule 5 permit ip source 172.16.90.0 0.0.0.255 destination 10.0.2.254 0.0.0.0
 rule 50 deny ip

Why the error "Not supported by hardware"

Thanks

0 Kudos
6 REPLIES 6
parnassus
Honored Contributor

тАО05-10-2018 10:06 AM

тАО05-10-2018 10:06 AM

Re: HP 1920 Switch VLAN acl/qos

Why not using (are you?) the Web GUI's QoS menu [*] to setup a basic/advanced IPv4 ACL instead of Switch CLI?

That way grayed-out options cannot be configured (I suppose both through Web GUI and through CLI) and so you will recognize that immediately.

[*] QoS sub-menu: Summary, Add, Basic Setup, Advanced Setup, Link Layer Setup and Remove.


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
lucaliga
Visitor

тАО05-10-2018 10:38 AM

тАО05-10-2018 10:38 AM

Re: HP 1920 Switch VLAN acl/qos

Hy parnassus,

The problem is not configuring qos but apply qos to VLAN interface that give the above error.

Web GUI's QoS menu (I know well) finally wrote cli command into configuration file so using web or cli take you to the same point.

I dont think there is a Web GUI menu for qos apply to a Vlan interface in this switch but only advanced cli. But cli gave that error and we dont know why.

 

 

0 Kudos
Vince-Whirlwind
Honored Contributor

тАО05-13-2018 11:12 PM

тАО05-13-2018 11:12 PM

Re: HP 1920 Switch VLAN acl/qos

You can't apply it to VLANs, you have to apply it to physical ports.
Use the GUI and it will teach you what the config looks like.

If all you need is a simple Layer3 switch to support multiple VLANs and route between them, fine., otherwise this isn't really the switch to be using for Layer3 - use it as a plain Layer2 Access switch and do the routing on a better "Core" switch.

 

0 Kudos
lucaliga
Visitor

тАО05-14-2018 01:55 AM

тАО05-14-2018 01:55 AM

Re: HP 1920 Switch VLAN acl/qos

I also tried command : qos vlan-policy VLAN90p vlan 90 inbound

got same error Not supported by hardware. This means to me you Vince-Whirlwind are right and the release JG924A-CMW520-R1105 note "Modified features include: An ACL can be applied to multiple ports or VLANs" is a fake.

 

0 Kudos
Vince-Whirlwind
Honored Contributor

тАО05-14-2018 08:19 PM

тАО05-14-2018 08:19 PM

Re: HP 1920 Switch VLAN acl/qos

I didn't know they had released upgraded firmware that supposedly allowed this. Did you install the full package?

0 Kudos
lucaliga
Visitor

тАО05-15-2018 02:36 AM

тАО05-15-2018 02:36 AM

Re: HP 1920 Switch VLAN acl/qos

"Did you install the full package?" I made the normal firmware upgrade to 1920-24G-JG924A_5.20.R1119

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.