Hewlett Packard Enterprise Community
Help
cancel
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BYOD Devices straight to internet

SOLVED
Go to solution
robbyde
Occasional Contributor
‎03-27-2014 10:38 AM
‎03-27-2014 10:38 AM
Solved!

BYOD Devices straight to internet

Hi All,

 

We have some 2610 and 2626 switches that are used in boarding houses, the students plug in their BYOD's such as laptops etc and connect to the internet via a proxy that prompts them for a username and password.

 

The problem is the users are on the network regardless of connecting to the internet.  We lock them down a bit by restricting MAC addresses but how can we lock them down so they can only access the internet via the proxy?

 

Would I have to create a vlan that only routes to the switch that has the proxy?  If so how to I stop vlan hopping between switches?

 

Sorry I'm a complete noob to switching, I'm trying but not great.

 

Thanks

 

P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. -HP Forum Moderator

0 Kudos
5 REPLIES 5
Pete W
Valued Contributor
‎03-27-2014 01:34 PM
‎03-27-2014 01:34 PM

Re: BYOD Devices straight to internet

Is the problem that students can access the Internet without using the proxy?

Or is the issue that students can access internal resources that they shouldn't be able to?

 

Regards,

 

Pete

0 Kudos
robbyde
Occasional Contributor
‎03-28-2014 01:15 AM
‎03-28-2014 01:15 AM

Re: BYOD Devices straight to internet

Hi,

 

Sorry didn’t explain very well.

 

The problem is the kids can access resources on the network they shouldn’t. 

 

My main concern is although we try and get the pc's in to virus check they often are full of malware and I worry that once they're connected, they could introduce something onto the network.

 

Thanks

 

0 Kudos
Pete W
Valued Contributor
‎03-31-2014 02:47 PM
‎03-31-2014 02:47 PM

Re: BYOD Devices straight to internet

Ideally BYOD devices should be in an isolated VLAN with highly limited visability of internal resources.

 

Question:

Are the students in the same VLAN as your internal systems?

 

Regards,

 

Pete

0 Kudos
robbyde
Occasional Contributor
‎04-01-2014 03:42 AM
‎04-01-2014 03:42 AM

Re: BYOD Devices straight to internet

No seperate vlan (everthing has a seperate vlan here, around 50 or so).

 

The problem is the vlans arnt bound by secuirty as far as I can tell i.e. I can access anything on the network regardless of the vlan.

 

So I guess what I want help with is add vlan security, i.e.

 

if you are plugged into Switch A and on vlan 10 then you can only access the proxy server on port 80.

0 Kudos
robbyde
Occasional Contributor
‎04-02-2014 07:30 AM
‎04-02-2014 07:30 AM
Solution

Re: BYOD Devices straight to internet

Hi,

 

Sorted the issue, I've added the following ACL's:

 


ip access-list extended GuestACL


10 permit ip 192.168.241.0 0.0.0.255 192.168.250.20 0.0.0.0

15 permit ip 192.168.241.0 0.0.0.255 192.168.250.30 0.0.0.0

20 permit ip 192.168.241.0 0.0.0.255 10.0.0.10 0.0.0.0

25 permit ip 192.168.241.0 0.0.0.255 192.168.250.100 0.0.0.0

30 permit ip 192.168.241.0 0.0.0.255 10.0.0.254 0.0.0.0

31 permit ip 192.168.241.0 0.0.0.255 192.168.241.254 0.0.0.0

35 permit ip 192.168.241.254 0.0.0.0 0.0.0.0 255.255.255.255

50 deny ip 192.168.241.0 0.0.0.255 192.168.0.0 0.0.255.255

55 deny ip 192.168.241.0 0.0.0.255 10.0.0.0 0.255.255.255

57 deny ip 192.168.241.0 0.0.0.255 172.0.0.0 0.255.255.255

60 permit ip 192.168.241.0 0.0.0.255 0.0.0.0 255.255.255.255

VLAN 3241 ip access-group GuestACL in

Show Access-List GuestACL

 

 

So basically, the users can access the DHCP servers, firewall, proxy, their own range but nothing else.

 

Thanks all

Tags (1)
0 Kudos