HPE Community
LAN Routing
1829643 Members
1659 Online
109992 Solutions
New Discussion

Re: Configure ACL to allow access to internet

 
akj501
New Member

‎02-17-2015 12:56 PM

‎02-17-2015 12:56 PM

Configure ACL to allow access to internet

Hi All,

I am hitting my head against a wall on this one.. any help would be very much appreciated.

Configuration

I currently have a HP 2920 Switch, and have 2 Vlans configured on this switch.

Vlan 40 and Vlan 60 - They are both used for Guest and Staff wireless access.

I have configured Vlan 40 with an ACL called "Vlan-40-ACL" and I have also configured vlan 60 with an ACL called "Vlan-60-ACL" - I have applied both the ACL's to the relevant VLans

Vlan 40 Address is configured as - 10.19.72.2 255.255.248.0

Vlan 60 Address is configured as - 10.19.88.2 255.255.252.0

Router Default Gateway - 10.18.168.1

DHCP Server - 10.18.168.14

DNS Server - 10.18.168.14

Radius Server 1 - 10.18.168.15

Radius Server 2 - 10.18.168.17

IP Routing is configured on the switch.

From a connectivity point of view I have the switch working the way I want, I just want to lock down each Vlan with an ACL while maintaining access to the router,dhcp,dns,radius etc on the default vlan (vlan 1)

When configuring either ACL with the following commands:    

  • 10 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
  • 40 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 443
  • 50 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
  • 60 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53

I am still unable to connect to the internet from a client via this configuration.

Is anyone able to point me in the right direction? I am smashing my head against a wall on this one

Switch configuration

Text
hostname "HP-Stack-2920"
trunk 2/19 trk2 trunk
timesync sntp
sntp unicast
sntp server priority 1 10.18.168.13
sntp server priority 2 86.19.119.81
no telnet-server
web-management ssl
ip access-list extended "Vlan-40-ACL"
   exit
ip access-list extended "Vlan-60-ACL"
   exit
ip default-gateway 10.18.168.1
ip route 0.0.0.0 0.0.0.0 10.18.168.1
ip routing
interface 2/19
   name "Internet Out - LightSpeed"
   speed-duplex 100-full
   exit
snmp-server community "public" unrestricted
oobm
   ip address dhcp-bootp
   member 1
      ip address dhcp-bootp
      exit
   member 2
      ip address dhcp-bootp
      exit
   member 3
      ip address dhcp-bootp
      exit
   member 4
      ip address dhcp-bootp
      exit
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 2/23-2/24
   untagged
 1/1-1/8,1/10-1/48,1/A1-1/A2,1/B1-1/B2,2/1-2/18,2/20-2/22,2/25-2/48,2/A1-2/A2,2/
B1-2/B2,3/1-3/48,3/A1-3/A2,3/B1-3/B2,4/1-4/48,4/A1-4/A2,4/B1-4/B2,Trk2
   tagged 1/9
   ip address 10.18.171.2 255.255.252.0
   exit
vlan 40
   name "Guest BYOD"
   untagged 2/24
   tagged 1/43,2/A2,4/9,4/11,4/13,4/15,4/19,4/26,Trk2
   ip access-group "Vlan-40-ACL" vlan
   ip address 10.19.72.2 255.255.248.0
   ip helper-address 10.18.168.13
   ip helper-address 10.18.168.14
   exit
vlan 60
   name "Staff BYOD"
   untagged 2/23
   tagged 1/43,2/A2,4/9,4/11,4/13,4/15,4/19,4/26,Trk2
   ip access-group "Vlan-60-ACL" vlan
   ip address 10.19.88.2 255.255.252.0
   ip helper-address 10.18.168.13
   ip helper-address 10.18.168.14
   exit
spanning-tree Trk2 priority 4
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager

Please help!

0 Kudos
1 REPLY 1
Vince-Whirlwind
Honored Contributor

‎02-17-2015 04:40 PM

‎02-17-2015 04:40 PM

Re: Configure ACL to allow access to internet

Not sure what this does,

   ip access-group "Vlan-60-ACL" vlan

But personally, I would use,

   ip access-group "Vlan-60-ACL" in

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.