Instant On - Wired

 View Only

  • 1.  Configuring ACLs on 1930

    Posted 10-21-2020 07:23 AM

    Hi,

    I'm pretty new to ACLs and so far I am not making much headway setting them up on this switch. Initially, I just want an ACL (standard, not extended) that restricts my guest VLAN from accessing anything (via any protocol) but the Internet. Any clues how to do this?

    I found a tutorial online (link below) for the 2930M, but the 1930 doesn't have a CLI. Otherwise I have found nothing to help in configuring the 1930, and unfortunately, the 1930 Management and Configuration guide is not much more than 'buttonology'.

    https://www.networktasks.co.uk/environments/hp/provision/access-lists-on-hpe-aruba-switch 



  • 2.  RE: Configuring ACLs on 1930

    Posted 10-21-2020 09:13 AM

    OK, in case anyone else is interested, using the 1930's web GUI I have managed to replicate the first part of the tutorial.

    ACLs.PNG

     



  • 3.  RE: Configuring ACLs on 1930

    Posted 10-24-2020 06:11 AM

    OK, well that didin't work quite as expected. As my Guests need to obtain an IP via DHCP the final rule does not allow them to talk to the DHCP server as there is no match (as they don't yet have an IP on the 172.16.81.0 network). However, an 'Any, Any' rule does allow this as there is no IP matching.

    ACLs - 2.PNG

    So, more learning to do as yet, but making some progress.



  • 4.  RE: Configuring ACLs on 1930

    Posted 12-15-2020 12:40 PM
    Hopefully others are interested in this - I now have managed to get this working, although my config is a little odd because of the DHCP Relay bug.

    Guest ACL code:

    ip access-list extended Guest-ACL
    permit udp any bootpc any bootps ace-priority 5
    permit udp 172.16.81.0 0.0.0.15 any 192.168.11.49 0.0.0.0 domain ace-priority 10
    permit udp 172.16.81.0 0.0.0.15 any 192.168.11.50 0.0.0.0 domain ace-priority 11
    permit tcp 172.16.81.0 0.0.0.15 any 192.168.11.49 0.0.0.0 domain ace-priority 15
    permit tcp 172.16.81.0 0.0.0.15 any 192.168.11.50 0.0.0.0 domain ace-priority 16
    permit udp 172.16.81.0 0.0.0.15 any 172.16.31.3 0.0.0.0 domain ace-priority 20
    permit tcp 172.16.81.0 0.0.0.15 any 172.16.31.3 0.0.0.0 domain ace-priority 25
    permit icmp 172.16.81.0 0.0.0.15 192.168.11.49 0.0.0.0 any any ace-priority 30
    permit icmp 172.16.81.0 0.0.0.15 192.168.11.50 0.0.0.0 any any ace-priority 31
    permit icmp 172.16.81.0 0.0.0.15 172.16.31.3 0.0.0.0 any any ace-priority 35
    permit ip 172.16.81.0 0.0.0.15 172.16.81.0 0.0.0.15 ace-priority 40
    deny ip 172.16.81.0 0.0.0.15 10.0.0.0 0.255.255.255 ace-priority 55 log-input
    deny ip 172.16.81.0 0.0.0.15 172.16.0.0 0.15.255.255 ace-priority 60 log-input
    deny ip 172.16.81.0 0.0.0.15 192.168.0.0 0.0.255.255 ace-priority 65 log-input
    permit ip 172.16.81.0 0.0.0.15 0.0.0.0 255.255.255.255 ace-priority 100
    exit

    ------------------------------
    Colin Fieldgate
    ------------------------------

    Original Message


  • 5.  RE: Configuring ACLs on 1930

    Posted 12-23-2020 11:11 AM

    An updated ACL now that the fix for the DHCP Relay bug means I can move my WIn 2016 server to the 1930:

    ip access-list extended Guest-ACL
    permit udp any bootpc any bootps ace-priority 1
    permit udp 172.16.81.0 0.0.0.15 any 172.16.31.3 0.0.0.0 domain ace-priority 20
    permit tcp 172.16.81.0 0.0.0.15 any 172.16.31.3 0.0.0.0 domain ace-priority 25
    permit icmp 172.16.81.0 0.0.0.15 172.16.31.3 0.0.0.0 any any ace-priority 35
    permit ip 172.16.81.0 0.0.0.15 172.16.81.0 0.0.0.15 ace-priority 40
    deny ip 172.16.81.0 0.0.0.15 10.0.0.0 0.255.255.255 ace-priority 55 log-input
    deny ip 172.16.81.0 0.0.0.15 172.16.0.0 0.15.255.255 ace-priority 60 log-input
    deny ip 172.16.81.0 0.0.0.15 192.168.0.0 0.0.255.255 ace-priority 65 log-input
    permit ip 172.16.81.0 0.0.0.15 0.0.0.0 255.255.255.255 ace-priority 100
    exit



    ------------------------------
    Colin Fieldgate
    ------------------------------

    Original Message