HPE Community
HPE Aruba Networking & ProVision-based
1832610 Members
2451 Online
110043 Solutions
New Discussion

HP1920S How to send all traffic to gateway rules match?

 
RafaelV
Occasional Contributor

‎01-22-2020 01:01 PM

‎01-22-2020 01:01 PM

HP1920S How to send all traffic to gateway rules match?

Hello all,

 

I have a HP1920S switch within 11 VLANs: 10 for regular hosts like PCs, printers and stuff the the eleventh VLAN is a transit VLAN linked to my gateway (pfsense) with last resource route. All of my VLAN hosts have specific default gateway (say 10.10.X.1, where X is the VLAN number). All of them have access to my pfsense within the transit VLAN.

 

My problem is that I cannot send all my traffic to goes up to my pfsense and, if it has the specific rule, it returns to the L3 switch. Since the VLANs have their own default gateway, all VLAN in the 1920S are reachable (the traffic does not leave the switch).

 

Any ideas how to achieve this?

Tks

Rafael

0 Kudos
2 REPLIES 2
jmpk
HPE Pro

‎01-26-2020 09:18 AM

‎01-26-2020 09:18 AM

Re: HP1920S How to send all traffic to gateway rules match?

Hello Rafel ,

Can you please share your config example and topolgy with current and expected traffic flow ?


I work for HPEAccept or Kudo
0 Kudos
RafaelV
Occasional Contributor

‎01-27-2020 05:00 AM

‎01-27-2020 05:00 AM

Re: HP1920S How to send all traffic to gateway rules match?

Greetings jmpk and thanks for the reply.

 

What I want is to send all traffic (internal and external) to my pfsense firewall (192.20.255.254/30) that is linked to my HP1920S. (VLAN255, p23, 192.20.255.253/30) Nowadays, my config allows all traffic to be sent to pfsense as a last resource route within VLAN255 Tag and, the internal ones (other VLANS) as threathed within the switch ACL rules.

I'm wondering that, instead to have firewall rules on pfsense and another bunch of ACL rules on HP1920 to deny some traffic, such as ICMP, few TCP and UDP Packets and some well know application ports (21, 22, 23, 80, ...), have those deny rules on pfsense only. I think the way to achieve this is to forwared all my traffice pfsense acting as a STP, but if this is the case, I don't know what are HP1920 configs to achieve this.

Bellow follows my actual config. Pls, disconsider the ACL rules created. It was created since I've been strugling with this for long time now.

!System Description "HPE OfficeConnect Switch 1920S 24G 2SFP JL381A, PD.02.12, Linux 3.6.5-375bd0e8, U-Boot 2012.10-00118-g3773021 (Oct 11 2016 - 15:39:54)"
!System Software Version "PD.02.12"
!System Up Time "2 days 17 hrs 58 mins 11 secs"
!Additional Packages HPE QOS,HPE IPv6 Management,HPE Routing
!Current SNTP Synchronized Time: SNTP Client Mode Is Disabled
!
network protocol none
network parms 192.10.0.2 255.255.255.0 0.0.0.0
vlan database
vlan 10-24,255
vlan name 10 "VLAN-ORCAMENTO"
vlan name 11 "VLAN-GERENCIA"
vlan name 12 "VLAN-DIRETORIA"
vlan name 13 "VLAN-RH"
vlan name 14 "VLAN-CONTASAPAGAR"
vlan name 15 "VLAN-TI"
vlan name 16 "VLAN-COMPRAS"
vlan name 17 "VLAN-ENGENHARIA"
vlan name 18 "VLAN-RECEPCAO"
vlan name 19 "VLAN-BANCO"
vlan name 20 "VLAN-RECURSOS"
vlan name 21 "VLAN-VOIP"
vlan name 22 "VLAN-WIFI"
vlan name 23 "VLAN-MANAGEMENT"
vlan name 24 "VLAN-CAM"
vlan name 255 "VLAN-ISP"
vlan routing 15 1
vlan routing 255 2
vlan routing 22 3
vlan routing 20 4
vlan routing 10 5
vlan routing 11 6
vlan routing 12 7
vlan routing 13 8
vlan routing 14 9
vlan routing 16 10
vlan routing 17 11
vlan routing 18 12
vlan routing 19 13
vlan routing 21 14
vlan routing 23 15
exit
no username guest
line console
exit
line telnet
exit
line ssh
exit
snmp-server sysname "HPE OfficeConnect L3"
!
ip access-list BlockAll-VLAN
deny icmp host 192.20.255.254 any icmp-message echo
permit icmp any host 192.20.255.254 icmp-message echo-reply
permit tcp any range 0 65535 host 192.20.255.254 flag established
permit tcp host 192.20.255.254 range 0 65535 any flag +fin +syn +rst +psh +ack +urg
deny ip any any
exit
ip access-group BlockAll-VLAN vlan 10 in 1
ip access-group BlockAll-VLAN vlan 11 in 1
ip access-group BlockAll-VLAN vlan 12 in 1
ip access-group BlockAll-VLAN vlan 13 in 1
ip access-group BlockAll-VLAN vlan 14 in 1
ip access-group BlockAll-VLAN vlan 15 in 1
ip access-group BlockAll-VLAN vlan 16 in 1
ip access-group BlockAll-VLAN vlan 17 in 1
ip access-group BlockAll-VLAN vlan 18 in 1
ip access-group BlockAll-VLAN vlan 19 in 1
ip access-group BlockAll-VLAN vlan 20 in 1
set igmp
keepalive
interface 1
bandwidth 100000
set igmp mrouter interface
set igmp mrouter 255
vlan pvid 24
vlan participation exclude 1
vlan participation include 24
ip mtu 1500
no isdp enable
exit
interface 2
vlan pvid 13
vlan participation exclude 1
vlan participation include 13
no isdp enable
exit
interface 3
vlan pvid 12
vlan participation exclude 1,15
vlan participation include 12
no isdp enable
exit
interface 4
vlan pvid 12
vlan participation exclude 1
vlan participation include 12
no isdp enable
exit
interface 5
vlan pvid 19
vlan participation exclude 1
vlan participation include 19
no isdp enable
exit
interface 6
vlan pvid 10
vlan participation exclude 1
vlan participation include 10
no isdp enable
exit
interface 7
vlan pvid 16
vlan participation exclude 1
vlan participation include 16
no isdp enable
exit
interface 8
vlan pvid 17
vlan participation exclude 1
vlan participation include 17
no isdp enable
exit
interface 9
vlan pvid 11
vlan participation exclude 1
vlan participation include 11
no isdp enable
exit
interface 10
vlan pvid 14
vlan participation exclude 1,13
vlan participation include 14
no isdp enable
exit
interface 11
no isdp enable
exit
interface 12
vlan pvid 16
vlan participation exclude 1
vlan participation include 16
no isdp enable
exit
interface 13
vlan pvid 18
vlan participation exclude 1
vlan participation include 18
no isdp enable
exit
interface 14
vlan pvid 22
vlan participation exclude 1,23
vlan participation include 22
no isdp enable
exit
interface 15
bandwidth 1000000
vlan pvid 15
vlan participation exclude 1,20,255
vlan participation include 15
ip mtu 1500
no isdp enable
exit
interface 16
bandwidth 1000000
vlan pvid 15
vlan participation exclude 1,10
vlan participation include 15
ip address dhcp
ip mtu 1500
no ip unreachables
no isdp enable
exit
interface 17
vlan pvid 20
vlan participation exclude 1,22-23,255
vlan participation include 20
no isdp enable
exit
interface 18
vlan pvid 10
vlan participation exclude 1
vlan participation include 10
no isdp enable
exit
interface 19
vlan pvid 20
vlan participation exclude 1,10-15,23
vlan participation include 20
no isdp enable
exit
interface 20
vlan pvid 22
vlan participation exclude 1,21,255
vlan participation include 22
no isdp enable
exit
interface 21
vlan pvid 13
vlan participation exclude 1
vlan participation include 13
no isdp enable
exit
interface 22
vlan pvid 20
vlan participation exclude 1
vlan participation include 21
no isdp enable
exit
interface 23
bandwidth 1000000
vlan acceptframe vlanonly
vlan participation exclude 10-24
vlan participation include 255
vlan tagging 255
vlan priority 7
ip mtu 1500
no isdp enable
exit
interface 24
vlan pvid 20
vlan participation exclude 1,10-15,23
vlan participation include 20
no isdp enable
exit
interface 25
no isdp enable
exit
interface 26
no isdp enable
exit
interface TRK 1
port-channel load-balance 1
exit
interface vlan 15
bandwidth 10000
routing
ip address 192.20.15.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 255
bandwidth 10000
routing
ip address 192.20.255.253 255.255.255.252
ip mtu 1500
no ip unreachables
no ip redirects
exit
interface vlan 22
bandwidth 10000
routing
ip address 192.20.22.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 20
bandwidth 10000
routing
ip address 192.20.20.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 10
bandwidth 10000
routing
ip address 192.20.10.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 11
bandwidth 10000
routing
ip address 192.20.11.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 12
bandwidth 10000
routing
ip address 192.20.12.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 13
bandwidth 10000
routing
ip address 192.20.13.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 14
bandwidth 10000
routing
ip address 192.20.14.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 16
bandwidth 10000
routing
ip address 192.20.16.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 17
bandwidth 10000
routing
ip address 192.20.17.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 18
bandwidth 10000
routing
ip address 192.20.18.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 19
bandwidth 10000
routing
ip address 192.20.19.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 21
bandwidth 10000
routing
ip address 192.20.21.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
interface vlan 23
bandwidth 10000
routing
ip address 192.20.23.1 255.255.255.0
ip mtu 1500
no ip unreachables
exit
ip default-gateway 192.20.255.254
exitnetwork mgmt_port 11

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.