HPE Community
Switches, Hubs, and Modems
1752782 Members
6306 Online
108789 Solutions
New Discussion юеВ

Re: Procurve 2610 VLan/Secured Wireless Setup

 
jrhaile
New Member

тАО04-03-2009 01:27 PM

тАО04-03-2009 01:27 PM

Procurve 2610 VLan/Secured Wireless Setup

Here is my situation as detailed as I can be:

Our 2610 which we just purchased is the 3rd switch in a line of hops between buildings which is all being connected via fiber.

This is a flat network with an ip of 17.16.0.x and a gateway on that network of 17.16.0.2

What we want to do is add an access point and or wireless router off of this Procurve and only allow HTTP traffic through that configured port.

My question is, is this even possible? I have called HP and they point me to trying to setup ACLs to do this. The problem is I assign my access point or router in this case to the 192.168.5.1 address, plug it into Port 22 and no traffic flows at all.

Here is my current config and any help on this subject is appreciated!

Startup configuration:

; J9085A Configuration Editor; Created on release #R.11.22

hostname "ProCurve Switch 2610-24"
ip access-list extended "100"
permit tcp 192.168.5.1 0.0.0.0 10.0.2.50 0.0.0.0 eq 80
exit
ip default-gateway 10.0.0.1
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-21,23-28
ip address 10.0.2.50 255.255.0.0
no untagged 22
exit
vlan 150
name "GuestWifi"
ip address 192.168.5.1 255.255.255.0
tagged 22
exit
password manager

ProCurve Switch 2610-24#
0 Kudos
8 REPLIES 8
Mark Wibaux
Trusted Contributor

тАО04-03-2009 07:12 PM

тАО04-03-2009 07:12 PM

Re: Procurve 2610 VLan/Secured Wireless Setup

192.168.5.1 is what you have assigned to the VLAN on the switch. You will need to assign a different IP address to your access point.

What is the actual network IP address used. You mention 172.16.0.x (I assume a mask of 255.255.255.0) but your switch is configured in the 10.0.0.0/255.255.0.0 network. You need your switch and network to be in the same IP range as it is going to act as a router between the 2 VLANs.
I would also suggest you set port 22 as untagged for vlan 150. This puts anything connected to that port in the vlan rather than relying on the device to understand vlan tagging.

You will also need to make sure that you current router (at 172.16.0.2) knows how to get back to the new network of 192.168.5.0/24. It should be just a simple matter of putting a static route in its config point back at the IP address of the switch (whatever you end up assigning to it on VLAN 1).

Once you have your IP addressing sorted out then we can take a look at what you want your ACL to actually do.
0 Kudos
jrhaile
New Member

тАО04-06-2009 12:54 PM

тАО04-06-2009 12:54 PM

Re: Procurve 2610 VLan/Secured Wireless Setup

I'm sorry - I completely typoed the numbers of the network.

I'm going to put together a Visio diagram here today and post it up for a better idea of what I'm trying to acomplish.
0 Kudos
jrhaile
New Member

тАО04-06-2009 01:40 PM

тАО04-06-2009 01:40 PM

Re: Procurve 2610 VLan/Secured Wireless Setup

Okay, I have attached the network diagram that I put together real quick. As you can see, this is a completely flat network with fibre runs between each building.

There is only one fibre run to the 3rd building in the diagram and this is where our procurve is going.

At this point, I don't care if we can't use the Wireless router and just have to purchase a regular WAP.

Again our goal is to get that "Guest Wifi" ONLY HTTP/HTTPS access. It it has to remain on the same subnet as the rest of the network so be it.

Thanks again for any help.
0 Kudos
jrhaile
New Member

тАО04-06-2009 01:41 PM

тАО04-06-2009 01:41 PM

Re: Procurve 2610 VLan/Secured Wireless Setup

Also, as you can see, I'm VERY new with these procurve switches. So as much detail as possible is appreciated.
0 Kudos
Mark Wibaux
Trusted Contributor

тАО04-06-2009 03:12 PM

тАО04-06-2009 03:12 PM

Re: Procurve 2610 VLan/Secured Wireless Setup

Just to make sure. By guest HTTP/HTTPS access you mean purely to the internet? There is no need for the guest access to be able to talk to your internal network for HTTP/HTTPS.

If so the most secure method would be to bring the guest access in to a "DMZ" port on your firewall and then create rules on the firewall that only allow access to the internet on 80 & 443. This DMZ could either be a physical port on the firewall or a virtual one via VLANs but it really comes down to how well you know how to configure the firewall and its rules.

It would be best if you could just use the wireless router as an AP (rather than a router).

If you don't mind can you post the current configs of the 3 procurve switches.
0 Kudos
jrhaile
New Member

тАО04-06-2009 03:30 PM

тАО04-06-2009 03:30 PM

Re: Procurve 2610 VLan/Secured Wireless Setup

You are correct when all we want is to allow Internet traffic from the Guest Wifi VLan.

We only have the ONE procurve switch with the WAP/Wireless router is connected to.
0 Kudos
Mark Wibaux
Trusted Contributor

тАО04-06-2009 04:52 PM

тАО04-06-2009 04:52 PM

Re: Procurve 2610 VLan/Secured Wireless Setup

Do you know if your other switches support VLANs? What type/model of switches are they?

I'll have to have a bit of think about this as it may be possible to do it all within your procurve via ACLs (access control lists). Though if it was my network I'd want to run it all via a VLAN to a separate port on my firewall just for greater control.

Can you post a current copy of the procurve config as the one in the original post doesn't seem to match up with your IP numbering in the diagram.
0 Kudos
Mark Wibaux
Trusted Contributor

тАО04-13-2009 10:44 PM

тАО04-13-2009 10:44 PM

Re: Procurve 2610 VLan/Secured Wireless Setup

As you've not posted any other info I'll make a best guess at some of it.

I'm not 100% sure this solution will work. I don't have a 2610 to play with so i'm not sure the ACL will work as I expect. I normally work with ACLs on the 5400 range and with those I generally apply this sort of filtering at the VLAN level but the 2610 series only support ACLs at the port level.
Anyway you can give it a go and see what happens, just make sure you only make the change to the running config (don't do a "write mem") that way if it goes horribly wrong you can always just powercycle the switch to get back to your original configuration.

Lets start with some assumptions
1. Your wireless unit is a router and that you have the "WAN" port on the router connected to the procurve switch on port 22.
2. The wireless router is doing NAT and that it support DNS proxying.
2b. On the basis of this assumption all traffic from wireless clients will appear to come from the IP address assigned to the WAN port on the wireless router.
3. You have configured the WAN port on the wireless router to 192.168.5.254/255.255.255.0, gateway is 192.168.5.1 and DNS is set to 172.16.0.2
3b. This assumes that the server you have marked as a PDC in your diagram is also a DNS server. If not then set the DNS server setting to something else that is.
4. The wireless router has a LAN IP address of 192.168.6.254/255.255.255.0 and is setup as a DHCP server for the wireless clients. The DHCP scope should be set to give clients a Gateway and DNS server address of 192.168.6.254. (This goes back to assumption 2 about DNS proxying.)
5. Your internal LAN used a class B (255.255.0.0) mask for your 172.16.0.0 network. If it is a Class C (255.255.255.0) then you will need to modify the last part of the "deny ip" line to 0.0.0.255 and the mask on the "ip address" line in vlan 1 to 255.255.255.0
6. On your firewall you add a static route for the network 192.168.5.0 that points to 172.16.0.8 as its gateway. That way it knows how to get back to your guest WiFi network.

Config for the Procurve 2610 should look something like this

hostname "ProCurve Switch 2610-24"
ip access-list extended "100"
permit tcp 192.168.5.254 0.0.0.0 172.16.0.2 0.0.0.0 eq 53
permit udp 192.168.5.254 0.0.0.0 172.16.0.2 0.0.0.0 eq 53
deny ip 192.168.5.254 0.0.0.0 172.16.0.0 0.0.255.255
permit tcp 192.168.5.254 0.0.0.0 any eq 80
permit tcp 192.168.5.254 0.0.0.0 any eq 443
exit
ip default-gateway 172.16.0.1
ip routing
no ip source-route
snmp-server community "public" Unrestricted

interface 22
name "Link to Guest WiFi router"
access-group 100 in
exit

vlan 1
name "DEFAULT_VLAN"
untagged 1-21,23-28
ip address 172.16.0.8 255.255.0.0
no untagged 22
exit
vlan 150
name "GuestWifi"
ip address 192.168.5.1 255.255.255.0
untagged 22
exit
ip route 0.0.0.0 0.0.0.0 172.16.0.1
password manager

--------------------------------------------------

Personally I wouldn't do it this way. I would run the wireless unit in bridged mode and bring the GuestWiFi VLAN into a spare interface on the firewall and then use the firewall to control what the guests can access. There would be no routing on the switch and the internal network would be logically isolated from the guest network with only the firewall able to pass traffic between the two. This of course would only work if your other switches support VLANs and you had a spare interface on the firewall.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.