Link to home
Start Free TrialLog in
Avatar of MoonLive
MoonLive

asked on

HP Procurve ACL for VLAN network.

All expert, I need help to setup ACL for two VLANs, vlan 1 and vlan 20 (guest). DHCP is on vlan 1 that i need vlan 20 to access but block all other traffic. I just want vlan 20 to access Internet connection such as port 80 and 443.  Can you helps me on this? Thank you on advance.
ASKER CERTIFIED SOLUTION
Avatar of Soulja
Soulja
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MoonLive
MoonLive

ASKER

Thanks for quick reply.  The gateway address for guest network is in same switch as vlan 1 interface and route to router.
Core Switch
vlan 1 ip 10.0.0.2 255.255.0.0
vlan 20 ip 10.20.0.1 255.255.0.0
0.0.0.0 0.0.0.0 10.0.0.1

Is that second line i need to remove is "permit udp any eq bootpc any eq bootps"

DHCP on switch is also good idea.  I may need to look into it. I haven't done this way. can you show me simple way to do this?

Thanks
Soulja, i took your advise and enable DHCP on core switch, it works perfectly. But when i implement this

config
vlan 20 ip access-group VLAN_20_ACL in

ip access-list extended VLAN_20_ACL
deny ip 20.x.x.x.x 0.0.0.255 1.x.x.x 0.0.0.255
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any log

it blocks the network vlan 1 from vlan 20 but the client on vlan 20 can't access internet. I had to change last one to following
deny ip any any log  --> permit ip any any
It still allow me to access Internet and deny access to vlan 1 network.
Is that OK or any other concern?
Thank you bunch!
The acl above would block sunbet 20.x.x.x from accessing subnet 1.x.x.x and allow subnet 20.x.x.x to access anything outside of subnet 1.x.x.x on ports 80 and 443 and deny any other port.