HPE Community
LAN Routing
1753663 Members
5834 Online
108798 Solutions
New Discussion

HPE 1920s ACL configuration

 
GG4
Occasional Collector

‎06-27-2020 03:01 AM

‎06-27-2020 03:01 AM

HPE 1920s ACL configuration

Hi,

On my 1920s I configured 2 untagged vLans (1,2)

I need a device on vLan 2 (switch port 21) to be able to communicate with a printer I have on vLan 1 (switch port 4)

I tried to configure an ACL usign Web UI (QoS -> Access Control Lists) without success.

Could you explain how to do it properly? Thanks.

0 Kudos
1 REPLY 1
parnassus
Honored Contributor

‎06-27-2020 08:42 AM - edited ‎06-27-2020 09:14 AM

‎06-27-2020 08:42 AM - edited ‎06-27-2020 09:14 AM

Re: HPE 1920s ACL configuration

Your request requires a clarification first: do you need that ONLY that device (on VLAN 2) be able to connect to ONLY that printer (on VLAN 1) or you just need that - at least initially - any device on VLAN 2 is able to connect to any device on VLAN 1 (and vice-versa)?

If you can live with the latter approach (at least initially) you just need to have VLAN 1 and VLAN 2 routed and this normally happens (without any ACLs to be configured) by assigning at each VLAN interface an IP Address (thus creating a SVI on each VLAN).

Example:

VLAN 100 -> IP Address 10.0.100.254 Mask 255.255.255.0 -> Subnet 10.0.100.0/24 <- devices on access ports untagged on VLAN 100 should stay within the 10.0.100.0/24 network and use the 10.0.100.254 as their default gateway.

VLAN 200 -> IP Address 10.0.200.254 Mask 255.255.255.0 -> Subnet 10.0.200.0/24 <- devices on access ports untagged on VLAN 200 should stay within the 10.0.200.0/24 network and use the 10.0.200.254 as their default gateway.

That way any device on VLAN 100 will be able to connect to any device on VLAN 200 and vice-versa...routing is going to happen at Switch level (indeed VLAN 100 SVI and VLAN 200 SVI are the default gateways for their devices).

ACLs can be applied after to segregate traffic between those two VLANs.

The former approach will require you to do the same BUT to apply required ACLs to segregate the segmented traffic immediately (if you can live with the fact traffic is just initially segmented only).

Clearly both the above approaches are valid (ACL on the switch or not) if we suppose that the Switch could be the IPv4 Router for those two VLANs. Could it in your present scenario?

Edit: it's worth to note that I don't consider the case that your VLANs are actually already routed by a third party IPv4 router (it's totally possible and reasonable, it depends on your specific scenario)...in that case it's up to your actual IPv4 router to route those VLANs and to apply ACLs against them.


I'm not an HPE Employee
Kudos and Accepted Solution banner
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.