HPE Community
Comware Wireless / Unified Series
1826890 Members
3240 Online
109705 Solutions
New Discussion

Re: Guest Wireless on HP 830

 
SOLVED
Go to solution
Painteddog
Senior Member

‎10-09-2014 05:09 AM - edited ‎10-09-2014 05:12 AM

‎10-09-2014 05:09 AM - edited ‎10-09-2014 05:12 AM

Guest Wireless on HP 830

I need some pointers or the place to go to help me setup an isolated guest wireless on the HP 830 Unified switch.  I have the corporate wlan working just fine with our MSM430 APs and the clients grabbing their address from our internal DHCP server.  But for the life of me, I'm unable to find docs on how to setup a guest wireless.  I'd like this to be totally isolated where all they can do is internet.  I'd also like it secured so any guests need to get the WEP key from us, just so we know who is on the network. 

 

As far as our infrastructure, we have a "main" 5406 ProCurve with a default route to a Cisco ASA 5510 firewall.  We do have available public ip addresses if I need to use one on the HP 830 to get this guest network.  I've been searching the docs on how to get this done and I'm not getting very far.  Should I have the 830 dole out the ip addresses for the guest network?  I'm assuming it should be in a seperate VLAN?  It's not an overly large network, just 10 MSM430 APs around the building.  Any direction would be appreciated, even a link to where I can find this.  There seems to be a lot of info on the MSM controllers for guest networks, but not a lot for the 830 switch. 

0 Kudos
3 REPLIES 3
Michal Doležal
Frequent Advisor

‎10-09-2014 05:31 AM

‎10-09-2014 05:31 AM

Re: Guest Wireless on HP 830

I must solve this last week. And it is relatively simple.

First, you must use central login and remote forwarding, but this is common in these scenarios.

Isolation can be done by different ways (for example by ACLs). But easiest way is this:

 

wlan service-template 2 clear
 ssid Guest_SSID
 bind WLAN-ESS 1
 user-isolation enable
 client-rate-limit direction inbound mode dynamic cir 1024
 client-rate-limit direction outbound mode dynamic cir 1024
 

So this means that you can setup isolation internaly in service-template. I used for easier setup. Normal template without encryption but with portal authentication. And take a look that you can also limit bandwidth per service-template which is the same behavior as on MSM.

 

BUT user-isolation enable is functional only between wireless users, for isolating against network you must use advanced (3000) ACLs. BUT other possible solution can be separated L3 VLAN defined only on WLAN controller and as pure L2 defined on the switch without routing to other VLANs. On the switch will be one port dedicated for router directly going to internet.

 

Or other way can be NATted network. This must be done (by my opinion) by splitting link-aggregation (BAGG1) between controller and switch. One connection will be then used for corporate clients, second link will be used as natted interface (outbound for guest clients), but I didn´t test this.

Michal Dolezal, DiS.
System engineer
AVE BOHEMIA, s.r.o.
0 Kudos
JesseR
Regular Advisor

‎10-20-2014 01:39 PM

‎10-20-2014 01:39 PM

Solution

Re: Guest Wireless on HP 830

Isolating your guest wireless on the Unified is fairly simple (though the documentation on HOW to do it is HORRIBLE).   You do NOT need a high end switch to do the ACLs for you, you can do it right on the controller.

 

 

Create an ACL...  for example..

#
acl number 3000
 description Block All Internal Networks Except Specific Server-Ports
 rule 10 permit tcp destination 172.20.0.14 0 destination-port eq www
 rule 15 permit tcp destination 172.20.0.14 0 destination-port eq 443
 rule 20 permit tcp destination 172.20.0.35 0 destination-port eq 443
 rule 25 permit udp destination 172.30.0.5 0 destination-port eq dns
 rule 30 deny ip destination 172.16.0.0 0.15.255.255

(this block traffic on the guest network  (let's say the guest network is a 192.168.10.x/24) from accessing the entire Class-B network range which is used for your wired networks, with the exception of a few specific servers/services)

 

Then apply that ACL using firewall rules to the SSID...

 

#
interface WLAN-ESS1
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 555 untagged
 port hybrid pvid vlan 555
 mac-vlan enable
 firewall packet-filter 3000 inbound
 firewall packet-filter 3000 outbound

 

 

I believe you need to be at least on firmware code P26 for this... ?

Hope that helps.

 

JR

 

 

Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide:

0 Kudos
Painteddog
Senior Member

‎11-05-2014 05:14 AM

‎11-05-2014 05:14 AM

Re: Guest Wireless on HP 830

I got it, thanks Jesse.  And yes, you are right, you need to be on the updated firmware to do your solution (specifically the firewall command).  Thanks for your help!  And yes, I agree, HP's documentation on how to do this is next to miserable.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.