HPE Community
Switches, Hubs, and Modems
1753747 Members
4793 Online
108799 Solutions
New Discussion

routing of Guest vlan out to internet -- and NOT see corp Vlan

 
jeyer
Occasional Contributor

‎08-28-2009 03:30 PM

‎08-28-2009 03:30 PM

routing of Guest vlan out to internet -- and NOT see corp Vlan

we are a full HP network. with over 50 various HP switches, in 12 closets. 5412zl at the core in the main server room with a spoke / wheel setup. Closets bounce back to the core via trunked 2-10 gig. We have 9 vlans all is working great, one voip vlan with qos, on a wireless N vlan. All Vlans have their own DHCP server on a seperated subnet. from the core it goes to several security DMZ appliances.. then out to the net via a Cisco ASA. All is working great. .. now the question I want create a wireless "guest" Vlan so client can connect and pass out the Internet "not seeing anything at or on the core" is there a routing command i can set up to say.. "this Vlan" goes out to the net .. and can not see communicate to any other device on any other vlan. currently all Vlans route from the 5412zl core.... ie.. i dont want visitors to see our corp lan. we thouch of putting a sonicwall device in the DMZ and bounce the vlan to it.. when when we do.. we can still ping the back corp. Vlan . .. some advice please .. Thanks.
0 Kudos
1 REPLY 1
Mohammed Faiz
Honored Contributor

‎08-30-2009 02:40 AM

‎08-30-2009 02:40 AM

Re: routing of Guest vlan out to internet -- and NOT see corp Vlan

Sounds like you just want to put an ACL on the guest VLAN.
You could either have an explicit 'deny' for any traffic to each of the non-guest VLANs (you might be able to summarise this into one line depending on how your address ranges are laid out) and then an 'allow all' for everything else.
You'd have to remember to add in each non-guest VLAN to the ACL when you created a new one.
Alternatively you could lock down the guest VLAN, i.e

- allow dhcp to appropriate server
- allow dns
- allow http/https
- (implicit) deny everything else
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.