Securing Your Network: Configuring ACLs on an HP 1910 Managed Switch *The Easy Way*

In a previous guide, I discussed implementing VLANs on an HP 1910 L3 managed switch (Comware-based). In today's guide, I will discuss how to secure those VLANs by setting up access control lists (ACLs).


This is a companion discussion topic for the original entry at https://engineerworkshop.com/2020/01/20/enabling-acls-on-an-hp-1910/

Hi, thank you very much for your explanations, I’ve been trying to set up the switch for several days but it’s so complicated and the ACL doesn’t work. I have a question, why do you put a range for the port 137-138???, we can use any number port or I need to use this range??.
I will try your method and I will come back for to give you the news!!!

Hi Janis,

First of all, welcome and thanks for reading! Setting up ACLs using the method described by HP is indeed extremely complicated. That’s why, when I found that my simplified CLI method worked, I decided I had to write up this guide for others.

To answer your question re: port range 137-138, it’s just an example. That rule came from an ACL I use to isolate my web server VLAN from my other DMZ VLANs. Why did I permit that specific range? I use an SMB share to back up my web servers’ content and the CIFS/SMB protocol uses those ports. (I actually updated it to range 137-139).

That specific ACL rule may not be applicable to you. To keep the article a manageable size, I decided to defer a tutorial on designing ACLs to a future article. Let me know if you would be interested in such an article (and keep in mind that my offer of helping you design your ACL still stands).

If you want a quick-and-dirty guide for designing ACLs on your L3 switch, I’ll offer the following:

  1. Defer setting up the ACLs initially and instead concentrate on getting your VLANs set up and everything working on the switch.
  2. Audit your inter-VLAN traffic. See what ports are in use and who is talking to what.
  3. Explicitly permit required inter-VLAN traffic, block everything else.

Continuing the example, on one of my web servers, you would see that it was talking to my unRAID server on ports 137-139 (again, due to the SMB connection). I then set up my ACL rule to explicitly allow the connection to my unRAID server, but I do it in such a way that the ACL rule still is limited in scope: I allow my web server to connect to my unRAID server (and ONLY my unRAID server, nothing else) and only on those ports. I then deny all other inter-VLAN traffic from the web server VLAN.

As you gain more experience, you’ll be able to design your VLANs and ACLs right from the start without even having to resort to keeping your ACLs open at the beginning. You’ll also learn how to design your VLANs better. If you realize that you’re starting to have to open (permit) a lot of connections between VLANs, it may make more sense to group those devices together within their own VLAN.

The most important step is to just get started. Perfect is the enemy of good.

-Torquewrench

Hi again , in my case I have created the VLAN 10 (ports 3-4), VLAN 30 (ports 7-8), VLAN 100 (ports 9-10), VLAN 150 (ports 13-14) , VLAN 300 (ports 17-18) and the native VLAN with all the rest of the ports . Finally I have tested my configuration made in the web GUI interface and this work!!!, I wanted that the VLAN 300 can comunicate with all the rest of VLAN, because in the VLAN 300 there are the servers. My mistake was checkig from the P.C connecting in the native VLAN pinging the serveur, but I cheked again from my server forward the VLAN 10,30,100 and 150 and the ping is sucessful !!!. I more used to work with the Cisco switch (I.P routing and building ACL). In fact after I have realized that the native Vlan is not a rightful VLAN.
Thanks a lot again !!!

1 Like

Glad to hear it works, Janis. Thanks for the update!

Agreed on Cisco; there’s a reason they’re the industry standard. I got the switch for something like 25 bucks; I definitely traded my time for the savings. :sweat_smile: If you had asked me a few months ago which L3 switch was the best for beginners, I would have counciled against the HP 1910, due to the lack of documentation and monumental effort it took to properly configure as a result.

Today though, with my guides, I think I would recommend the HP 1910 for homelabs again. At $25 it’s a tremendous value, and I think my HP 1910 series now sufficiently cover the most difficult aspects of configuring this switch.

Welcome to the forums and I look forward to hearing from you again!

-TorqueWrench