HPE Community
HPE Aruba Networking & ProVision-based
1832509 Members
4559 Online
110043 Solutions
New Discussion

Procurve 2920-24G doesn't support outbound ACLs?

 
Darryl Ackernecht
Occasional Contributor

‎05-28-2020 09:30 PM - edited ‎05-28-2020 09:34 PM

‎05-28-2020 09:30 PM - edited ‎05-28-2020 09:34 PM

Procurve 2920-24G doesn't support outbound ACLs?

I've gone through the command references for multiple versions of WB.16.x, and there's no mention of this not being supported.

Yet on my 2920Gs:
On a VLAN - can only do an ip access-group xyz vlan-in
On an interface - can only do an ip access-group xyz in

No out availabe.  I've tried WB.16.03.0003, WB.16.03.0007, WB.16.10.0007.  Funny enough, on WB.15.18.0006 out does appear for VLAN.

Switch01(vlan-5)# ip access-group test
vlan-in Apply the IPv4 ACL for bridged and routed inbound packets on this VLAN.

Is this really true?  I can only do inbound ACL on a 2920?

 

1 person had this problem.
0 Kudos
4 REPLIES 4
akg7
HPE Pro

‎06-01-2020 06:00 PM

‎06-01-2020 06:00 PM

Re: Procurve 2920-24G doesn't support outbound ACLs?

Hi,

Can you please check below document if it is useful for you, if not then can you please share the device product number which starts from 'JXXXXX'

https://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00055680en_us-2.pdf

 

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
VEC-Solutions
Advisor

‎06-01-2020 10:26 PM - edited ‎06-01-2020 10:27 PM

‎06-01-2020 10:26 PM - edited ‎06-01-2020 10:27 PM

Re: Procurve 2920-24G doesn't support outbound ACLs?

Curious about this as well. I have a 2920 48g and it seemed silly that I had to apply inbound ACL to 6 VLANs when all I was trying to do was block outbound traffic from 1 VLAN to the rest of them. Would have loved a vlan-out function on the ACL VLAN application.

0 Kudos
VEC-Solutions
Advisor

‎06-02-2020 05:32 PM

‎06-02-2020 05:32 PM

Re: Procurve 2920-24G doesn't support outbound ACLs?

Wanted to add this...this is from 16.10 Security guide for 2920 which I was hoping was going to let me use "vlan-out" function for VACLs.....not to mention this "shared" function........Am I missing something? Seems like this is supposed to be implemented but not?

https://psnow.ext.hpe.com/doc/a00061587en_us

IPv4 access-group (VACL)
Allows for the configuration of an IPv4 ACL on a vlan to be shared. VACLs are applied from vlan context.
Syntax
ip access-group ACL-ID in|out|vlan-in|vlan-out|connection-rate-filter shared
no ip access-group ACL-ID in|out|vlan-in|vlan-out|connection-rate-filter shared
Description
Apply the specified IPv4 ACL on this VLAN interface. When ACLs are shared, hardware resource usage is
optimized where possible.
Parameter
shared
Apply the IPv4 ACL so as to share hardware resources.
Restrictions
Per-application statistics will not be available when ACLs are applied as shared.
ip access-group my-acl out shared
switch(config)# vlan 1
switch(vlan-1)# ip access-group my-acl vlan-out shared
switch(vlan-1)# ip access-group my-acl out shared

0 Kudos
akg7
HPE Pro

‎06-10-2020 09:03 AM

‎06-10-2020 09:03 AM

Re: Procurve 2920-24G doesn't support outbound ACLs?

Hi,

This seems a chip limitation. Can you share product number of the device starts with 'JXXXXXX'.

The ArubaOS-Switch 16.07/16.08  guides applies to this product line J9726A, J9727A, J9728A, J9729A, J9836A.

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.