Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Procurve 2920-24G doesn't support outbound ACLs?

This thread has been viewed 0 times

  • 1.  Procurve 2920-24G doesn't support outbound ACLs?

    Posted May 29, 2020 12:31 AM

    I've gone through the command references for multiple versions of WB.16.x, and there's no mention of this not being supported.

    Yet on my 2920Gs:
    On a VLAN - can only do an ip access-group xyz vlan-in
    On an interface - can only do an ip access-group xyz in

    No out availabe.  I've tried WB.16.03.0003, WB.16.03.0007, WB.16.10.0007.  Funny enough, on WB.15.18.0006 out does appear for VLAN.

    Switch01(vlan-5)# ip access-group test
    vlan-in Apply the IPv4 ACL for bridged and routed inbound packets on this VLAN.

    Is this really true?  I can only do inbound ACL on a 2920?

     


    #ACL


  • 2.  RE: Procurve 2920-24G doesn't support outbound ACLs?

    EMPLOYEE
    Posted Jun 01, 2020 09:01 PM

    Hi,

    Can you please check below document if it is useful for you, if not then can you please share the device product number which starts from 'JXXXXX'

    https://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00055680en_us-2.pdf

     

    Thanks!



  • 3.  RE: Procurve 2920-24G doesn't support outbound ACLs?

    Posted Jun 02, 2020 01:26 AM

    Curious about this as well. I have a 2920 48g and it seemed silly that I had to apply inbound ACL to 6 VLANs when all I was trying to do was block outbound traffic from 1 VLAN to the rest of them. Would have loved a vlan-out function on the ACL VLAN application.



  • 4.  RE: Procurve 2920-24G doesn't support outbound ACLs?

    Posted Jun 02, 2020 08:32 PM

    Wanted to add this...this is from 16.10 Security guide for 2920 which I was hoping was going to let me use "vlan-out" function for VACLs.....not to mention this "shared" function........Am I missing something? Seems like this is supposed to be implemented but not?

    https://psnow.ext.hpe.com/doc/a00061587en_us

    IPv4 access-group (VACL)
    Allows for the configuration of an IPv4 ACL on a vlan to be shared. VACLs are applied from vlan context.
    Syntax
    ip access-group ACL-ID in|out|vlan-in|vlan-out|connection-rate-filter shared
    no ip access-group ACL-ID in|out|vlan-in|vlan-out|connection-rate-filter shared
    Description
    Apply the specified IPv4 ACL on this VLAN interface. When ACLs are shared, hardware resource usage is
    optimized where possible.
    Parameter
    shared
    Apply the IPv4 ACL so as to share hardware resources.
    Restrictions
    Per-application statistics will not be available when ACLs are applied as shared.
    ip access-group my-acl out shared
    switch(config)# vlan 1
    switch(vlan-1)# ip access-group my-acl vlan-out shared
    switch(vlan-1)# ip access-group my-acl out shared



  • 5.  RE: Procurve 2920-24G doesn't support outbound ACLs?

    EMPLOYEE
    Posted Jun 10, 2020 12:03 PM

    Hi,

    This seems a chip limitation. Can you share product number of the device starts with 'JXXXXXX'.

    The ArubaOS-Switch 16.07/16.08  guides applies to this product line J9726A, J9727A, J9728A, J9729A, J9836A.

    Thanks!