M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

Guest Network

 
Highlighted
Nilldot
Occasional Contributor

Guest Network

Hi guys,

hope you can help me with that, dare I say, simple topology.

 

What I want is to prevent users from VLAN 110 (guest users) to access VLAN20 (corporate VLAN) data. The whole purpose of guest VLAN, right ? J But at this point I can access all the data, though I need to authenticate via html form first (GMS software works great btw).

Traffic from guest CSV is NAT-ed via MSM720 that has IP address on VLAN20 (10.10.20.253) thus all guest traffic has source of x.253 thus making it tricky to block, as the same MSM720 is RADIUS client for Employee VSC and requires communication with NPS server on VLAN20.

I tried to use Custom firewall configuration on MSM720 unit to prevent communication, with zero affect.

I would assume that access list on HP-2915 can prevent communication, but I really don’t understand how to get traffic to be egres-ed to it. I have tried changing port 1 to trunk, well again with zero effect.

 

Could someone assist me with that? Thank you I advance.

 

P.S.

This is simplified version of network topology, but should give you an insighn how it is interconnected

3 REPLIES 3
Highlighted
Lmm_1
Honored Contributor

Re: Guest Network

it looks like you are using VLAN110 as the Ingress VLAN for VSC "Employee Access" and VLAN120 as Ingress for "Guest Access", assuming that you have almost default settings in the VSC, the traffic for both VSCs will be Egressed using the default network, which means through NAT on the Internet network. I would recommend using VLANs 110 and 120 as Egress VLAN for each VSC, look at the configuration settings under the VSC.

 

Thanks,

Lmm

Highlighted
Nilldot
Occasional Contributor

Re: Guest Network


Thank you for your reply.

I assumed this is a case, because how otherwise downstream switch will know on which vlan data arrives. But that's the thing, my VSC egress mappings are blank without an option to select anythign from drop down. I have tried everything I know to get something on that list. <Default> in the only option for my to choose.

VSC egress mapping 
Traffic type Map to

Unauthenticated: <Default>
Authenticated: <Default>
Intercepted: <Default>

Highlighted
Lmm_1
Honored Contributor

Re: Guest Network

The Ingress for each VSC should the SSID, client data tunnel should be enabled by default at each VSC, therefore traffic from each VSC will get into the controller. I think you are missing the IP interfaces for each VLAN, I see you have both VLANs tagged on the controller ports, add the IP interfaces and you should get the VLANs to use them as egress in the VSC.