Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

Wildcard with macadress switch 1920

sbromulo
Occasional Contributor

Wildcard with macadress switch 1920

Hi everyone, good morning (at least here in Brazil).

So, I recently purchased a HP Switch 1920 (JG925A) and I am trying to do an ACL between all my network and my server. My need is to block all mac address to access my server, and only some computers will get the access to my server. In resume: block all (with mac address acl) and release some (also with mac address acl).

The firmware of the switch was updated to the last version (2017).

I do not find any document with the right procedure and/or the rigt mac address wildcard schema to reach my goal.

Thanks for the help.

3 REPLIES
rajkumar787
Advisor

Re: Wildcard with macadress switch 1920

Hi,

 

You may refer 'Configuring MAC Authentication' in the user guide below.

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=8498821&docLocale=en_US&docId=emr_na-c04463799

 

 

sbromulo
Occasional Contributor

Re: Wildcard with macadress switch 1920

No, I don't want to do the feature "mac authentication". I want do to an ACL layer 2 blocking all mac address and permiting only some macs... look the picture, this screen is intended to create an ACL layer 2 with mac address. There are 2 fields: one to mac adress and right after for the mask. Which options do I have in the field mask? The mask FFFF-FFFF-FFFF is for the exactly mac address... but if I wish to blok all mac address? Which mask do I have to use? And not only this page is necessary to make the acl works, there are other 4 configurations to do, like classifier, behavior, qos policy and finaly port policy. In 2 of them I need to specify the "drop" or "permit", it's ambiguous... make no sense.1920.PNG

sbromulo
Occasional Contributor

Re: Wildcard with macadress switch 1920

I found the solution to block all macs and permit only the authorized macs.

1- Create a time range to make the rules to be active, accordly to your needs.

000.PNG

2- Create 2 acls, one to permit the macs (with lower acl number) and another to block all macs (with a higher acl number). In my enviroment, I created the ACL 4000 to permit the macs and the ACL 4999 who is intended to block all other macs. Obviously, the ACL 4000 need to be the "permit" type and the acl 4999 "deny" type. The FFFF-FFFF-FFFF is the maks who identify the exactly mac address, in other means, only the mac who you inform will be authorized on the switch. On the ACL 4999, the source and destination mac can be 0 in each field. Do not forget to inform the time range in each ACL.

001.PNG002.PNG

3- Create two classifiers, like below, on for ACL 4000 and another for 4999 ACL.

003.PNG004.PNG

4- Create two behaviors, on for the ACL 4000 and another for ACL 4999. The first behavior must have the option PERMIT and the second will be DENY.

005.PNG006.PNG

5- Link the behaviors and the classifiers in only one "QOS Policy", like below (the name of the policy is to better indentification when apply to the ports of the switch; the "only one policy" is because each port of the switch permit only one policy each time):

007.PNG

6- Apply the policy to the port accordly to your needs (mine is 19).

008.PNG

That´s it. My switch is running with the 1120 firmware.