In the previous how to, we configured layer 3 static routes and VLAN’s on the HP v1910 24G you will have noticed that all traffic can pass between VLAN’s without any restrictions. So why is this happening?
Well the answer is because we have turned on routing by giving an IP Address to each VLAN. This means the HP v1910 uses it’s own routing table to send traffic from VLAN 1 to VLAN 10.
Let’s test this. My laptop sits on VLAN 1 on IP Address 192.168.37.152 using the HP v1910G as it’s default gateway on 192.168.37.221
I have five VLAN Interfaces created which can be found under Network > VLAN Interface > Summary
Behind VLAN 10 is a device with IP Address 10.37.10.11, which I can ping
Next, I’m going to remove the VLAN Interface for VLAN 10
Don’t worry, the VLAN is still in play, we just have removed the ability to route between subnets. Now if we ping the same device we get an epic fail.
Notice we get a reply from 192.168.37.254 which isn’t an VLAN IP Address. The reason for this is that 192.168.37.254 is the default gateway for our HP v1910G. The HP v1910G is saying I haven’t got a clue how to get to 10.37.10.11, so let me send that traffic to my default gateway 192.168.37.254.
My firewall which is on 192.168.37.254 has a static route to 10.37.10.0 255.255.255.0 via 192.168.37.221 (VLAN 1 Interface on HP v1910G). When the HP v1910G receives the packet, it drops it as has no where to send the ICMP request.
So just to reiterate, that when we have an VLAN Interface, the HP v1910G will be able to route all traffic between VLAN’s, unless we do something about it.
Access Lists
This is where the Access List comes into play, an Access List specifies what source traffic is allowed to get to what destination traffic. Think of it as being in a hallway in a house and all the doors are locked. You then get given a key and you can get from the hallway into the lounge. The source is the hallway, the destination is the lounge and the key is the Access List.
So before we move any further, I want to give you a brief explanation of what I want to be able to achieve.
My laptop resides on 192.168.37.152/24 on VLAN 1 and I want to be able to connect to my HP StoreVirtual VSA which is on 10.37.20.1/24 VLAN 20.
I also have a Windows 7 machine on 10.37.20.211/24 VLAN 20.
I want to be able to get from my laptop to 10.37.20.1, but I don’t want to let any other traffic threw.
Let’s run a ping to both devices, you can see that I have connectivity to both 10.37.20.1 HP StoreVirtual VSA and 10.37.20.221 Windows 7.
So let’s create an Access List to do something about this.
Creating An Access List
We need to go to QoS from the left hand menu then onto ACL IPv4
Next we want to select Create
Now we have a choice from Basic ACL’s, Advanced ACL’s and Ethernet Frame Header ACL’s. OK what are the differences?
Basic ACL these only match source IPv4 address’s
Advanced ACL these match source and destination IPv4 address’s and also protocols on different port numbers e.g. TCP 80
Ethernet Frame Header ACL these match source and destination MAC addresses
With this is in mind, we are going to use Advanced ACL’s as we want to match interesting traffic from source to destination.
In the ACL Number section, type in 3001 and we want the match order to be Config and click Apply
You will see the ACL Number appear in the bottom table, notice we have no rules applied against it yet.
Next we want to go onto the Advanced Setup Tab at the top. We are going to enter the following information:
- ACL > Select 3001
- Rule ID > Select and Enter 10
- Action > Permit
- Source IP Address > 192.168.37.152
- Source Wildcard > 0.0.0.0
- Destination IP Address > 10.37.20.1
- Destination Wildcard > 0.0.0.0
- Protocol > IP
- Click Add
Now when you click on the Summary Tab you should see your rule in place!
I want to back track slightly on some of the entries we made into the Advanced ACL, to make sure you are clear on what we did.
Rule ID this is the order in which the rules are read we entered in number 10, so this rule is read first, if you added a rule ID 9 this would get read before rule ID 10.
Wildcard this is the reverse of a normal subnet mask e.g. 255.255.255.0 becomes 0.0.0.255
TOP TIP: At the end of every Access List is always a silent deny, which means you don’t see the traffic being dropped it just happens!
Let’s see if it works shall we? Let’s ping from my laptop to a HP StoreVirtual VSA 10.37.20.1 success, what about the Windows 7 on 10.37.20.211, err also success, that’s not right!
So what the heck is going on? Well as we haven’t applied the ACL3001 to an interface, everything carries on as per normal.
To be honest, applying an Access List to an interface on the HP v1910G is a royal pain. For most switches you just choose to apply the ACL to an interface either inbound or outbound. However, on the HP v1910G you have to perform the following:
- Create a QoS Classifier
- Create a QoS Behavior
- Create a QoS Policy using the QoS Classifier and QoS Behavior
- Apply the QoS Policy to a Port
I’m not going to run through how to do this, as examples can be found in the HP v1910G Manual page 465.
VMFocus 
Hi, thanks for these howtos. It’s hard to find info about this switch configuration in vmware environment.
Just a question: how do you manage public virtual machines?
Hi Brachi, you can have many different configurations for public VM’s. However, below is an example of a common configuration.
1. Assumption is you have 2 x Physical NIC’s which will cater for LAN and DMZ. VLAN 10 for LAN and VLAN 20 DMZ.
2. Create one vSwitch with both Physical NIC’s.
3. Create two Port Groups under the vSwitch, one for LAN (VLAN 10) and one for DMZ (VLAN 20)
4. Configure your HP v1910G Switch interfaces to carry traffic for both VLAN’s
5. Give your Public VM’s an IP Address in DMZ subnet
6. Create a trunk port from your router to your HP v1910G which carries all traffic for VLAN 10 and VLAN 20
7. Create a default route on your HP v1910G switch to use the router as it’s default gateway
8. Your Public VM should use the router as it’s default gateway
9. Create your NAT rules on your router e.g. 213.21.23.4 > 172.16.1.10 Port 443
Hi Craig, thank you! I’ll try this conf in the next days in my lab environment.
Hi You seem to know your stuff. I have recently purchase a V1910-24G for our offices.
The following scenario exists: We have a building with 3 other tenants that want share our internet connection.
Our routers IP address is 10.0.0.2. I have given the V1910 an IP of 10.0.0.200.
We still want the router to allocate the IP addresses to the uses as the log on.
I have allocated port 1 on the switch as a trunk port and split the switch into 4 segments Namely 1-4 for each tenant.
I have not allocated IP addresses to Vlan 2-4.
On Vlan 1 port 1 is untagged and for 2-4 they are tagged.
Under IP 4 Routing i have the following
Destination IP 0.0.0.0
Mask 0.0.0.0
Protocol Static
Prference 10
Next hop: 10.0.0.2 (Router)
Interface: Vlan-interface1
Under DHCP:
Dhcp Service : Enable
Server Group:
Server Group ID: 1
IP Address: 10.0.0.2
Interface Config:
Interface name: Vlan1
DHCP State: Enabled
I still cannot access any connections to the internet from Vlan 2-4.
Please assist.
If you want to do routing on the HP V1910 and also DHCP then you need to give it an IP address on each VLAN. For the internet you will need to create ACL’s and NAT statements for the subnets on VLAN’s 2 to 4.
Hope that helps.
Craig, thanks for posting these terrific articles.
We’re working to configure a few HP 1920’s to consolidate a couple of physical networks into a single one, using VLans and Layer 3 routing to accomplish our longer term goals.
Since we’re relatively new to this, we’ve got a steep learning curve, but a short schedule, as we have a new cloud based Voip system coming in. If you are still monitoring this thread, and are interested in some “moon lighting” work, please let me know. We could use your help.
Thanks again!
Struggling to get my head round ACLs, please help…
VLAN 1 – 192.168.10.0
VLAN 2 – 192.168.20.0
next hop on the switch is to my router 192.168.10.1
I have setup vlan interfaces at .254 for each network, and configured a route back on my router to the switch for VLAN2
Can you guide me through how I setup ACLs to stop routing between VLANs, I am trying to create an isolated test lab, but also wish to give it internet access
Please help???
Alternatively, I will have to remove the vlan interface on vlan2 and setup a dual homed machine to handle routing to access the internet from vlan2
Hi Matt, the HP v1910G isn’t the best for ACL’s. My recommendation would be as follows:
1. Remove the VLAN interface on VLAN2, so it’s operating at layer two.
2. On the link to your router untag VLAN1, tag VLAN2
3. Make your router the default gateway for VLAN2
4. Create ACL on your router.
This way all the local VLAN2 traffic resides on the HP v1910 and only leaves it to go out to the internet.
Hi Craig, using your tutorial I have managed to Access (ping) all my vlans in every posible direction, what I have is:
Vlan 1: switches management vlan (All Trunk Ports, Gateway=192.168.2.250)
Vlan 101: Servers Vlan (Gateway 192.168.0.210)
Vlan 102: staff vlan (Gateway 172.16.200.1)
Vlan 103 students vlan (Gateway 172.16.0.1)
Now I need to:
1. Prevent access from staff (102) to students (103) vlans and viceversa.
2. Give access from staff (102) and students (103) to servers vlan (101) (Already working)
3. Prevent access from staff (102) and students (103) vlan to swtiches management vlan (1)
From what I understood from your post ACL are for giving specific IP adresses permission to specific destinations, but how about all vlans?
Hope you can help thank you
Thanks for reading the blog posts.
Applying ACL on the HP v1910 is a nightmare. Download the HP v1910 Switch User Guide from here and have a read http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/manualsResults/?sp4ts.oid=4218346&spf_p.tpst=psiContentResults&spf_p.prp_psiContentResults=wsrp-navigationalState%3Daction%253Dmanualslist%257Ccontentid%253DUser-Guide-%252528how-to-use%252529%257Clang%253Den&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
Sorry but I didnt get anything from the user manual, I have found lots of info of that says the same, create a classifier, a behavior and a policy using both of them, but i dont get what is a classifier, and after that the behavior have a permit and deny, that I dont understand how to make it work because the ACLs also have a permit and Deny
Were you able to get the ACL (classifier, behavior, QOS policy, port policy) to work, Gustavo?
About the best I could do was create and ACL and apply it to Security > Authorized IP to allow management of the switch. It is a straight up ACL without needing the other ‘stuff’ and it works. I am able to define a permit acl allowing management from a specific subnet. Very intuititive.
Trying to set the QOS base acl is a much different story. I have tried many iterations and combinations and just can’t get it to work as I expect. Oddly, when I applied to the SOURCE port, I could get a deny to work. I would really prefer to set on the destination port and deny there but no such luck.
Gary
Hi Gary, I am still working on it, my ACL’s are properly configured but I still can not find a way to apply them.
Assigning IPs to each vlan already let me manage the switch from any of them.
I started a thread on:
http://h30499.www3.hp.com/t5/LAN-Routing/V1910-vlan-routing-ACL-s/td-p/6505550#.U5iNm7lOXmL
And I think I may have the sollution but I am still verifying it the sollution I think I need is on the config file, what I have is:
For example:
#
interface GigabitEthernet1/0/1
port access vlan 101
stp edged-port enable
#
And What I found would apply my ACL’s is apply the next line before the last #
packet-filter 3000 inbound (Where 3000 is your ACL Number)
But I am not sure If:
1. You can do this in this specific model
2. I have to add this line on every interface GigabitEthernet 1/0/1 through interface GigabitEthernet 1/0/28
3. In my case where I have two ACL’s (3001 and 3002) should I add one line for each ACL, giving me a total of 56 additional lines to my configuration file
Gustavo – I have also been struggling with the ACLs and have found some odd and inconsistent behavior. That said, what I found to work for me was to use GUI to create the ACL (10.100.4.0 is VLAN4 and is denied to my production VLAN3 10.100.3.0). The permit rule is needed.
acl number 3000
rule 5 deny ip source 10.100.4.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
rule 10 permit ip
I found that if I applied the ACL to the SOURCE port – in other words access ports for vlan4, as well as a trunk port for my wifi with SSIDs on vlan3 and vlan4, it did just what I was looking for. Isolate my guest wifi and guest wired ports from the production network
Trunk port for wifi:
interface GigabitEthernet1/0/15
port link-type trunk
port trunk permit vlan 1 3 to 4
packet-filter 3000 inbound
stp edged-port enable
Access ports for vlan4:
interface GigabitEthernet1/0/7
port access vlan 4
packet-filter 3000 inbound
stp edged-port enable
#
interface GigabitEthernet1/0/8
port access vlan 4
packet-filter 3000 inbound
stp edged-port enable
To do this, I used PUTTY and started an ssh session to the V1910. After logging in:
_cmdline-mode on (default pwd 512900)
sys (go into system-view)
int g1/0/7 (do this for each interface 7,8,15 in my case)
packet 3000 in
quit (and go on the the next source interface)
Don’t forget to save after you have tested!
Gary
Gary, I have achieved the same as you, the only difference is that I am not accesing the swicth via telnet (Putty) but instead I am making everything with GUI and then backing up the congif file, editing with notepad and restoring it again.
I have one big problem, and I would be very greatful if you could try this on your enviroment.
rule 10 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.0.51 0 (This rule block all trafic from any client on my students vlan to a specific IP address on the servers vlan)
When I apply this ACL, traffic is denied both ways and I dont understand whats wrong with it.
BTW, you can instead of applying to every port like this
interface GigabitEthernet1/0/1
port access vlan 101
packet-filter 3002 inbound
you can apply the ACL to the vlan ex:
interface Vlan-interface103
ip address 172.16.0.1 255.255.240.0
packet-filter 3002 inbound
Gustavo – I implemented the policy a the vlan interface level and it works pretty well, much better than applying port by port.
For your requirement:
deny vlan4 to vlan3 but
permit vlan3 to vlan4 (I know the vlans are the wrong number but you get the idea)
This makes me question if it is possible due its reflexive nature: if vlan3 requests packets from vlan4, how is vlan4 going to send a packet back to vlan3 if it is denied?
I question how well ACLs are impemented and documented on the v1910.
Can anyone with CISCO acl experience confirm or deny if this can be done with a CISCO L3 switch? Same question with higher end HP ProCurve L3 switches?
Gustavo –
Did you try adding a rule at the top of your ACL (rule1) so it gets processed first along the lines of:
rule 1 permit tcp established
rule 5 deny ip source 10.100.4.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
rule 10 permit ip
and apply it to vlan4 (in this example vlan4 cannot access vlan3)
This would allow a connection back to the otherwise denied vlan as long as the connection had already been established from the otherwise denied vlan.
Gary
Gustavo – Edit to my comment above, this will work. You can tighten down the rule 1 permit established tcp by setting a source and destination.
Gary, thank you for your answer, and sorry by my delay to get back to you, I was cought on another Project.
It din´t work I dont know what am I doing wrong.
This is what I want
1. Permit Access from vlan 101 to Vlan 103, for this I have
rule 20 permit ip source 192.168.0.0 0.0.1.255 destination 172.16.0.0 0.0.15.255
2. Permit Access from vlan 103 to vlan 101, for this I have
rule 30 permit ip source 172.16.0.0 0.0.15.255 destination 192.168.0.0 0.0.1.255
3. Deny Access from vlan 103 to 192.168.0.51 in vlan 1, for this I have
rule 40 deny ip source 172.16.0.0 0.0.15.255 destination 192.168.0.51 0
What I understand you suggested is, creating a new rule for example number 1 like this:
rule 1 permit tcp established ip source 192.168.0.51 0 destination 172.16.0.0 0.0.15.255
Am I right?
Also, my deny rule is ok as number 40 or it should be above all those previous rules?
PS: could I contact you via email so we can have a more fluid comunication?
Gustavo, You are going to be on your own, pretty much. What you want to do is possible but it WILL require your trial, error and testing. I have a single ACL with multiple rules that do pretty much what you are looking for (probably not exactly but close).
I have a guest vlan with no access to my prod vlan but prod vlan can access guest. I created them with the GUI but applied them from command line to the secured, guest vlan (VLAN4 in my case).
My rules look like this for my single ACL 3000 applied to VLAN4.
acl number 3000
rule 1 permit tcp established source 10.100.4.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
rule 5 deny ip source 10.100.4.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
rule 6 deny ip source 10.100.4.0 0.0.0.255 destination 10.100.5.0 0.0.0.255
rule 10 permit ip
acl number 3100
rule 5 permit tcp established
rule 10 deny ip source 10.100.4.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
rule 20 permit ip
Gary, long time since we posted, how have this switch been working for you?
Hey, interesting discussion!
After some struggling, I have got a working ACL on my 1920-24G. Thanks you for this!
There is still one problem: my TCP established rule does not want to work as expected.
Do you have an idea? 10.100.3.0 should be allowed to access 10.100.4.0; but not vice versa. Here is my config:
3001
rule 0 permit tcp established
rule 10 deny ip source 10.100.4.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
rule 15 permit ip
classifier for 3001
behavior deny
respective policy applied to ports of 10.100.4.0
Thank you in advance!
I just forgot: respective policy applied to ports of 10.100.4.0 INBOUND
You guys are doing better than I. For now I’d be happy just to be able to log into the switch not having use vlan 1 management, but through one of the vlans I created. I have my pc connected directly into the switch using the untagged port corresponding to the vlan. I have assigned ip addresses to the vlans, etc etc.
Working with a 1920G slightly newer for a school and trying to get some ACLs in place.
very similar
192.168.x.x
VLAN5 5.1 – Transit – to Internet – PFsense – 5.2 (192.168.5.0/29 (224)1-7)
VLAN10 10.1 – MGMT – (192.168.10.0/27 (248)1-31)
VLAN20 20.1 – LAB – (192.168.20.0/24)
VLAN30 30.1 – Office – (192.168.30.0/24)
VLAN50 50.1 – Staff – (192.168.50.0/24)
VLAN100 100.1 – Student – (192.168.100.0/23 (254.0) 100.1-101.254)
– VLAN200 VPN – Future – not in use (192.168.200.0/24) –
Goal is apply filtering so the VLAN 20 and VLAN 100 cannot access any of the other VLANs except VLAN5 for internet Access.
routing is all working perfectly and traversing to the internet as expected.
Master/Core switch has IP for all vlans
All slave switches vlan10 setup as MGMT IP and PVID set to 10
VLAN1 – has no IP now.
Master gateway = 0.0.0.0 > 192.168.5.2
Other switches gateway route 0.0.0.0 > 192.168.10.1 (because I didn’t setup all vlans on each switch even after seeing gvrp is enabled)
Enabled stack management on Master switch and can see all the switches via CLI but GUI this feature doesn’t work . currently on R1112 on all switches.
============
Back to ACL
packet-filter can’t be applied to the VLAN interface – only physical ports I found. Even had HP on the phone and they also were stumped as to why the VLAN interface was not allowing the ACL to be applied to it?!?
Possibly doing via the article would help – however I can’t seem to simply block / filter at the VLAN level vs manually tagging ports?!?
As mentioned in the above comments you can indeed apply an ACL to a VLAN, using CLI. You need to enable “secret commands” first though.
_cmdline-mode on (default pwd 512900)
system-view
interface Vlan-interface10
packet-filter 3000 inbound
I have been trying to figure the v1910 out for a few days now, seems like I am getting closer, but the switch really is horrible.
Thanks for the writeup! Very helpful. =)
You’re totally right — once you get out of the gates with an ACL created, there are a surprising number of additional steps to actually apply it!