- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Procurve 2610 VLan/Secured Wireless Setup
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-03-2009 01:27 PM
тАО04-03-2009 01:27 PM
Procurve 2610 VLan/Secured Wireless Setup
Our 2610 which we just purchased is the 3rd switch in a line of hops between buildings which is all being connected via fiber.
This is a flat network with an ip of 17.16.0.x and a gateway on that network of 17.16.0.2
What we want to do is add an access point and or wireless router off of this Procurve and only allow HTTP traffic through that configured port.
My question is, is this even possible? I have called HP and they point me to trying to setup ACLs to do this. The problem is I assign my access point or router in this case to the 192.168.5.1 address, plug it into Port 22 and no traffic flows at all.
Here is my current config and any help on this subject is appreciated!
Startup configuration:
; J9085A Configuration Editor; Created on release #R.11.22
hostname "ProCurve Switch 2610-24"
ip access-list extended "100"
permit tcp 192.168.5.1 0.0.0.0 10.0.2.50 0.0.0.0 eq 80
exit
ip default-gateway 10.0.0.1
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-21,23-28
ip address 10.0.2.50 255.255.0.0
no untagged 22
exit
vlan 150
name "GuestWifi"
ip address 192.168.5.1 255.255.255.0
tagged 22
exit
password manager
ProCurve Switch 2610-24#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-03-2009 07:12 PM
тАО04-03-2009 07:12 PM
Re: Procurve 2610 VLan/Secured Wireless Setup
What is the actual network IP address used. You mention 172.16.0.x (I assume a mask of 255.255.255.0) but your switch is configured in the 10.0.0.0/255.255.0.0 network. You need your switch and network to be in the same IP range as it is going to act as a router between the 2 VLANs.
I would also suggest you set port 22 as untagged for vlan 150. This puts anything connected to that port in the vlan rather than relying on the device to understand vlan tagging.
You will also need to make sure that you current router (at 172.16.0.2) knows how to get back to the new network of 192.168.5.0/24. It should be just a simple matter of putting a static route in its config point back at the IP address of the switch (whatever you end up assigning to it on VLAN 1).
Once you have your IP addressing sorted out then we can take a look at what you want your ACL to actually do.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-06-2009 12:54 PM
тАО04-06-2009 12:54 PM
Re: Procurve 2610 VLan/Secured Wireless Setup
I'm going to put together a Visio diagram here today and post it up for a better idea of what I'm trying to acomplish.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-06-2009 01:40 PM
тАО04-06-2009 01:40 PM
Re: Procurve 2610 VLan/Secured Wireless Setup
There is only one fibre run to the 3rd building in the diagram and this is where our procurve is going.
At this point, I don't care if we can't use the Wireless router and just have to purchase a regular WAP.
Again our goal is to get that "Guest Wifi" ONLY HTTP/HTTPS access. It it has to remain on the same subnet as the rest of the network so be it.
Thanks again for any help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-06-2009 01:41 PM
тАО04-06-2009 01:41 PM
Re: Procurve 2610 VLan/Secured Wireless Setup
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-06-2009 03:12 PM
тАО04-06-2009 03:12 PM
Re: Procurve 2610 VLan/Secured Wireless Setup
If so the most secure method would be to bring the guest access in to a "DMZ" port on your firewall and then create rules on the firewall that only allow access to the internet on 80 & 443. This DMZ could either be a physical port on the firewall or a virtual one via VLANs but it really comes down to how well you know how to configure the firewall and its rules.
It would be best if you could just use the wireless router as an AP (rather than a router).
If you don't mind can you post the current configs of the 3 procurve switches.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-06-2009 03:30 PM
тАО04-06-2009 03:30 PM
Re: Procurve 2610 VLan/Secured Wireless Setup
We only have the ONE procurve switch with the WAP/Wireless router is connected to.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-06-2009 04:52 PM
тАО04-06-2009 04:52 PM
Re: Procurve 2610 VLan/Secured Wireless Setup
I'll have to have a bit of think about this as it may be possible to do it all within your procurve via ACLs (access control lists). Though if it was my network I'd want to run it all via a VLAN to a separate port on my firewall just for greater control.
Can you post a current copy of the procurve config as the one in the original post doesn't seem to match up with your IP numbering in the diagram.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-13-2009 10:44 PM
тАО04-13-2009 10:44 PM
Re: Procurve 2610 VLan/Secured Wireless Setup
I'm not 100% sure this solution will work. I don't have a 2610 to play with so i'm not sure the ACL will work as I expect. I normally work with ACLs on the 5400 range and with those I generally apply this sort of filtering at the VLAN level but the 2610 series only support ACLs at the port level.
Anyway you can give it a go and see what happens, just make sure you only make the change to the running config (don't do a "write mem") that way if it goes horribly wrong you can always just powercycle the switch to get back to your original configuration.
Lets start with some assumptions
1. Your wireless unit is a router and that you have the "WAN" port on the router connected to the procurve switch on port 22.
2. The wireless router is doing NAT and that it support DNS proxying.
2b. On the basis of this assumption all traffic from wireless clients will appear to come from the IP address assigned to the WAN port on the wireless router.
3. You have configured the WAN port on the wireless router to 192.168.5.254/255.255.255.0, gateway is 192.168.5.1 and DNS is set to 172.16.0.2
3b. This assumes that the server you have marked as a PDC in your diagram is also a DNS server. If not then set the DNS server setting to something else that is.
4. The wireless router has a LAN IP address of 192.168.6.254/255.255.255.0 and is setup as a DHCP server for the wireless clients. The DHCP scope should be set to give clients a Gateway and DNS server address of 192.168.6.254. (This goes back to assumption 2 about DNS proxying.)
5. Your internal LAN used a class B (255.255.0.0) mask for your 172.16.0.0 network. If it is a Class C (255.255.255.0) then you will need to modify the last part of the "deny ip" line to 0.0.0.255 and the mask on the "ip address" line in vlan 1 to 255.255.255.0
6. On your firewall you add a static route for the network 192.168.5.0 that points to 172.16.0.8 as its gateway. That way it knows how to get back to your guest WiFi network.
Config for the Procurve 2610 should look something like this
hostname "ProCurve Switch 2610-24"
ip access-list extended "100"
permit tcp 192.168.5.254 0.0.0.0 172.16.0.2 0.0.0.0 eq 53
permit udp 192.168.5.254 0.0.0.0 172.16.0.2 0.0.0.0 eq 53
deny ip 192.168.5.254 0.0.0.0 172.16.0.0 0.0.255.255
permit tcp 192.168.5.254 0.0.0.0 any eq 80
permit tcp 192.168.5.254 0.0.0.0 any eq 443
exit
ip default-gateway 172.16.0.1
ip routing
no ip source-route
snmp-server community "public" Unrestricted
interface 22
name "Link to Guest WiFi router"
access-group 100 in
exit
vlan 1
name "DEFAULT_VLAN"
untagged 1-21,23-28
ip address 172.16.0.8 255.255.0.0
no untagged 22
exit
vlan 150
name "GuestWifi"
ip address 192.168.5.1 255.255.255.0
untagged 22
exit
ip route 0.0.0.0 0.0.0.0 172.16.0.1
password manager
--------------------------------------------------
Personally I wouldn't do it this way. I would run the wireless unit in bridged mode and bring the GuestWiFi VLAN into a spare interface on the firewall and then use the firewall to control what the guests can access. There would be no routing on the switch and the internal network would be logically isolated from the guest network with only the firewall able to pass traffic between the two. This of course would only work if your other switches support VLANs and you had a spare interface on the firewall.