HPE Community
LAN Routing
1820581 Members
1808 Online
109626 Solutions
New Discussion

Re: HP 2920 Inter VLAN Routing

 
SOLVED
Go to solution
dave_fluffy
Occasional Advisor

‎07-29-2015 04:05 AM

‎07-29-2015 04:05 AM

HP 2920 Inter VLAN Routing

Afternoon All

 

Been looking for an answer for this all week and reading loads of forum posts but cannot figure this out. Im sure its an easy fix for this community !

 

So I have a HP Switch 2920 J9729A that is going into a managed service office. The idea is to split into VLANS with own subnets so clients can talk to the router and shared devices (copiers) on VLAN1 but then cannot see each others companies on their VLAN.

 

So I have a draytek router on port 1, 172.16.1.254 (vlan1) and VLAN2 (172.17.1.0/16) VLAN3 (172.18.1.0/16)

 

So I got that part working ok with my current config (attached). When I put devices into relevant ports PC in port 8 and PC in port 13 they get their respective IP's ok .. but they can communicte with each other (which is not what I want!)

 

So I looked into setting up a ACL, which I can do ok, but I cannot apply the ACL to a VLAN.

 

Am I going about this the right way ?

0 Kudos
13 REPLIES 13
ZewaZebra1
Occasional Advisor

‎07-29-2015 06:19 AM

‎07-29-2015 06:19 AM

Re: HP 2920 Inter VLAN Routing

Same problem, I really hope someone can help here.. I have been searching for quite along time now.

0 Kudos
Pete W
Valued Contributor

‎07-29-2015 03:02 PM - edited ‎07-29-2015 03:46 PM

‎07-29-2015 03:02 PM - edited ‎07-29-2015 03:46 PM

Re: HP 2920 Inter VLAN Routing

Dave,

 

Firstly - the subnet masks in your DHCP scopes are /24s, however the VLAN interface that they are applied to are /16s. This would not break your network as it stands - but worth fixing anyway.

 

In answer to your query, the 2920 does NOT offer RACLS (routed ACLs), however it does offer VACLs (VLAN ACLS) and PACLS (Port ACLs). You could probably get the results that you need by applying a carefully written VACL, however the ACL would then be applied to every ingress frame on that VLAN on the switch, regardless of it's destination -  and that includes intra-VLAN traffic.

 

The configuration guide which documents the VACLs is the "Access Security Guide" which can be found at  http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04490669-3.pdf

ACL configuration starts on page 230, and VACL configuration is on page 231.

 

Regards,

 

Pete

dave_fluffy
Occasional Advisor

‎07-30-2015 12:07 AM

‎07-30-2015 12:07 AM

Re: HP 2920 Inter VLAN Routing

Ok, really sorry but not making much sense of this document.

 

I can see command

 

vlan <vid> ip access-group <identifier> vlan

 

But not sure how apply that .. please help !

 

0 Kudos
dave_fluffy
Occasional Advisor

‎07-30-2015 12:42 AM

‎07-30-2015 12:42 AM

Re: HP 2920 Inter VLAN Routing

I found this,

 

http://vmfocus.com/2012/10/14/how-to-configure-access-lists-route-between-vlans-on-hp-v1910-24g/

 

but from my Web interface looks totally different, I dont get any of the options...

0 Kudos
dave_fluffy
Occasional Advisor

‎07-31-2015 02:29 AM

‎07-31-2015 02:29 AM

Re: HP 2920 Inter VLAN Routing

HI All

 

Im kind of 90% of the way there now .. when PCs are on VLAN2 or VLAN3 they cannot ping each other but they cannot reach the default GW. Im pretty sure its a DrayTek config issue. Any dieas ?

 

Please help !

 

0 Kudos
Vince-Whirlwind
Honored Contributor

‎08-02-2015 06:04 PM

‎08-02-2015 06:04 PM

Re: HP 2920 Inter VLAN Routing

so maybe just add in something like:

 

ip access-list standard Vlan2

   deny 172.18.0.0 0.0.255.255

   permit 0.0.0.0 255.255.255.255

 

ip access-list standard Vlan3

   deny 172.17.0.0 0.0.255.255

   permit 0.0.0.0 255.255.255.255

 

vlan 2
   ip access-group Vlan2 in

 

vlan 3
   ip access-group Vlan3 in

0 Kudos
Vince-Whirlwind
Honored Contributor

‎08-02-2015 06:11 PM

‎08-02-2015 06:11 PM

Re: HP 2920 Inter VLAN Routing

Oops, I only read your first post.

I can see your config has moved on a bit - but the "router" option you are handing in in both your DHCP scopes is an address that doesn't even belong to the scope's subnet.

That explains why nothing can communicate outside its own subnet.

0 Kudos
Vince-Whirlwind
Honored Contributor

‎08-02-2015 06:13 PM

‎08-02-2015 06:13 PM

Solution

Re: HP 2920 Inter VLAN Routing

ip access-list standard Vlan2
   deny 172.16.3.0 0.0.0.255
   permit 0.0.0.0 255.255.255.255

ip access-list standard Vlan3
deny 172.16.2.0 0.0.0.255
permit 0.0.0.0 255.255.255.255

vlan 2
ip access-group Vlan2 in

vlan 3
ip access-group Vlan3 in

0 Kudos
dave_fluffy
Occasional Advisor

‎08-02-2015 11:53 PM

‎08-02-2015 11:53 PM

Re: HP 2920 Inter VLAN Routing

Thanks for the Reply

 

I managed to get this working, you are correct about the Default Gateway on the subnet, but i found this switch cannot apply a access-list to a vlan so had to do it per port which is a pain, but when done right works really well.

 

If anyone wants the config let me know, happy to share

0 Kudos
Pete W
Valued Contributor

‎08-03-2015 08:25 AM - edited ‎08-03-2015 08:44 AM

‎08-03-2015 08:25 AM - edited ‎08-03-2015 08:44 AM

Re: HP 2920 Inter VLAN Routing

To avoid having to put the ACL on every interface (PACL), you could put it on the VLAN something like this:

 

ip access-list extended Vlan2_ACL

   permit ip any 172.16.2.0 0.0.0.255

   deny ip any 172.16.0.0 0.15.255.255

   permit ip 0.0.0.0 255.255.255.255

 

ip access-list extended Vlan3_ACL

   permit ip any 172.16.3.0 0.0.0.255

   deny ip any 172.16.0.0 0.15.255.255

   permit ip any any

 

vlan 2
ip access-group Vlan2_ACL vlan

vlan 3
ip access-group Vlan3_ACL vlan

 

Pete

0 Kudos
Little_Love
Occasional Visitor

‎08-07-2015 10:03 AM

‎08-07-2015 10:03 AM

Re: HP 2920 Inter VLAN Routing

How did you make it work?

0 Kudos
dave_fluffy
Occasional Advisor

‎08-10-2015 03:08 AM

‎08-10-2015 03:08 AM

Re: HP 2920 Inter VLAN Routing

PM me, and ill email you the config

0 Kudos
rahulsinhaniya
Occasional Visitor

‎05-08-2018 07:09 AM

‎05-08-2018 07:09 AM

Re: HP 2920 Inter VLAN Routing

Could you please share the config with us ? I am having the same problem

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.