topic Re: BYOD Devices straight to internet in HPE Aruba Networking & ProVision-based

BYOD Devices straight to internet

robbyde — Mon, 31 Mar 2014 02:28:46 GMT

Hi All,

We have some 2610 and 2626 switches that are used in boarding houses, the students plug in their BYOD's such as laptops etc and connect to the internet via a proxy that prompts them for a username and password.

The problem is the users are on the network regardless of connecting to the internet. We lock them down a bit by restricting MAC addresses but how can we lock them down so they can only access the internet via the proxy?

Would I have to create a vlan that only routes to the switch that has the proxy? If so how to I stop vlan hopping between switches?

Sorry I'm a complete noob to switching, I'm trying but not great.

Thanks

P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. -HP Forum Moderator

Re: BYOD Devices straight to internet

Pete W — Thu, 27 Mar 2014 20:34:11 GMT

Is the problem that students can access the Internet without using the proxy?

Or is the issue that students can access internal resources that they shouldn't be able to?

Regards,

Pete

Re: BYOD Devices straight to internet

robbyde — Fri, 28 Mar 2014 08:15:37 GMT

Hi,

Sorry didn’t explain very well.

The problem is the kids can access resources on the network they shouldn’t.

My main concern is although we try and get the pc's in to virus check they often are full of malware and I worry that once they're connected, they could introduce something onto the network.

Thanks

Re: BYOD Devices straight to internet

Pete W — Mon, 31 Mar 2014 21:47:51 GMT

Ideally BYOD devices should be in an isolated VLAN with highly limited visability of internal resources.

Question:

Are the students in the same VLAN as your internal systems?

Regards,

Pete

Re: BYOD Devices straight to internet

robbyde — Tue, 01 Apr 2014 10:48:28 GMT

No seperate vlan (everthing has a seperate vlan here, around 50 or so).

The problem is the vlans arnt bound by secuirty as far as I can tell i.e. I can access anything on the network regardless of the vlan.

So I guess what I want help with is add vlan security, i.e.

if you are plugged into Switch A and on vlan 10 then you can only access the proxy server on port 80.

Re: BYOD Devices straight to internet

robbyde — Wed, 02 Apr 2014 14:30:02 GMT

Hi,

Sorted the issue, I've added the following ACL's:

ip access-list extended GuestACL

10 permit ip 192.168.241.0 0.0.0.255 192.168.250.20 0.0.0.0

15 permit ip 192.168.241.0 0.0.0.255 192.168.250.30 0.0.0.0

20 permit ip 192.168.241.0 0.0.0.255 10.0.0.10 0.0.0.0

25 permit ip 192.168.241.0 0.0.0.255 192.168.250.100 0.0.0.0

30 permit ip 192.168.241.0 0.0.0.255 10.0.0.254 0.0.0.0

31 permit ip 192.168.241.0 0.0.0.255 192.168.241.254 0.0.0.0

35 permit ip 192.168.241.254 0.0.0.0 0.0.0.0 255.255.255.255

50 deny ip 192.168.241.0 0.0.0.255 192.168.0.0 0.0.255.255

55 deny ip 192.168.241.0 0.0.0.255 10.0.0.0 0.255.255.255

57 deny ip 192.168.241.0 0.0.0.255 172.0.0.0 0.255.255.255

60 permit ip 192.168.241.0 0.0.0.255 0.0.0.0 255.255.255.255

VLAN 3241 ip access-group GuestACL in

Show Access-List GuestACL

So basically, the users can access the DHCP servers, firewall, proxy, their own range but nothing else.

Thanks all