HPE Community
M and MSM Series
1835956 Members
2761 Online
110088 Solutions
New Discussion

Guest Network

 
Nilldot
Occasional Contributor

‎11-05-2013 04:27 AM - edited ‎11-05-2013 04:28 AM

‎11-05-2013 04:27 AM - edited ‎11-05-2013 04:28 AM

Guest Network

Hi guys,

hope you can help me with that, dare I say, simple topology.

 

What I want is to prevent users from VLAN 110 (guest users) to access VLAN20 (corporate VLAN) data. The whole purpose of guest VLAN, right ? J But at this point I can access all the data, though I need to authenticate via html form first (GMS software works great btw).

Traffic from guest CSV is NAT-ed via MSM720 that has IP address on VLAN20 (10.10.20.253) thus all guest traffic has source of x.253 thus making it tricky to block, as the same MSM720 is RADIUS client for Employee VSC and requires communication with NPS server on VLAN20.

I tried to use Custom firewall configuration on MSM720 unit to prevent communication, with zero affect.

I would assume that access list on HP-2915 can prevent communication, but I really don’t understand how to get traffic to be egres-ed to it. I have tried changing port 1 to trunk, well again with zero effect.

 

Could someone assist me with that? Thank you I advance.

 

P.S.

This is simplified version of network topology, but should give you an insighn how it is interconnected

0 Kudos
3 REPLIES 3
Lmm_1
Honored Contributor

‎11-05-2013 07:06 AM

‎11-05-2013 07:06 AM

Re: Guest Network

it looks like you are using VLAN110 as the Ingress VLAN for VSC "Employee Access" and VLAN120 as Ingress for "Guest Access", assuming that you have almost default settings in the VSC, the traffic for both VSCs will be Egressed using the default network, which means through NAT on the Internet network. I would recommend using VLANs 110 and 120 as Egress VLAN for each VSC, look at the configuration settings under the VSC.

 

Thanks,

Lmm

0 Kudos
Nilldot
Occasional Contributor

‎11-05-2013 08:14 AM - edited ‎11-05-2013 08:14 AM

‎11-05-2013 08:14 AM - edited ‎11-05-2013 08:14 AM

Re: Guest Network


Thank you for your reply.

I assumed this is a case, because how otherwise downstream switch will know on which vlan data arrives. But that's the thing, my VSC egress mappings are blank without an option to select anythign from drop down. I have tried everything I know to get something on that list. <Default> in the only option for my to choose.

VSC egress mapping 
Traffic type Map to

Unauthenticated: <Default>
Authenticated: <Default>
Intercepted: <Default>

0 Kudos
Lmm_1
Honored Contributor

‎11-05-2013 11:24 AM

‎11-05-2013 11:24 AM

Re: Guest Network

The Ingress for each VSC should the SSID, client data tunnel should be enabled by default at each VSC, therefore traffic from each VSC will get into the controller. I think you are missing the IP interfaces for each VLAN, I see you have both VLANs tagged on the controller ports, add the IP interfaces and you should get the VLANs to use them as egress in the VSC.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.