VLAN for Public Wifi

Tags:
HP ProCurve
HP ProCurve 4208VL
Routing and switching
VLAN
VLAN Setup
Wifi
Hi, I was hoping someone could help me out with my HP ProCurve 4208vl switch.  It's in a mostly default configuration: switch (default vlan) ip: 10.1.1.95 default gateway: 10.0.0.1 / 255.0.0.0. I would like to create a second VLAN for a Public Access WiFi.  I have a DHCP server running on one of the ports of the Default VALN.  My problem is.  I would like to use the last port on the switch for my public Wifi: F24.  I've created a second VLAN with ID 2 and *think* I've moved port F24 to from VLAN 1 to VLAN 2.  What I would like in the end is to have VLAN 2 use default gateway / router (10.0.0.1) and the DHCP server from the default VLAN.  Been playing around a while, but screwing up could be a 'hangin' offense for me.l  If anybody has a sample config I would be *greatly* appreciative.  Note:  Using a Access Point from Linksys with 4 SSID's.  I have configured SSID to go to default VLAN and second SSID to VLAN ID 2 on AP.  Thanks!

Software/Hardware used:
HP procure 4208vl, Linksys AP

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hopefully, as you say, you have created the second VLAN using commands linke these

vlan 2
name “Public”
tagged F24
ip address a.b.c.d 255.255.255.0
exit

Where a.b.c.d is the subnet IP address for this router in the new VLAN. This will be the default gateway address for this VLAN.

This is tagged to the Access-point as you say you have already configured the vlans on that device, and vlan 2 is the public access SSID.

To pass the DHCP requests to the server in VLAN 1 you need to add the following commands

vlan 2
ip helper-address e.f.g.h
exit

Where e.f.g.h is the IP address of the DHCP server. This passes the DHCP request from the stations in VLAN2 to the DHCP server. Obviously you need to create a scope in the server for the Public subnet.

The other things you will need to do are to allow the new subnet to have Internet access in the configuration of the Internet router. This includes the NAT (address translation) and adding a route to the new subnet, via the Procurve.

You should also add an access list on the VLAN interface, to prevent the public network users having access to the private network.

Create the access list as follows

ip access-list extended 100
permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
deny ip 0.0.0.0 255.255.255.255 {vlan 1 subnet} {vlan 1 subnet mask}
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
vlan 2
access-group “100″ in
exit

This should allow the DHCP packets to the server (which this interface receives as a broadcast), but deny any other access to the private VLAN, and still allow any further traffic to the Internet. You may need to add more permit statements at the start of the access list, if you have a local DNS or any other systems that are needed by the users on the Public VLAN.

I think that should sort you out, or at least get you on the road to having this solution working.

————————————

Agreed – First restructuring your Subnets is a great idea, as it allows for more flexibility in configurations… the 255.0.0.0 mask you have is a bit much.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Ccie7335
    permit udp any any eq bootpc permit udp any any eq bootpc deny ip any 10.0.0.0 0.255.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.15.255.255 permit ip any any I added the private IP Space so that the public-wifi has no access to any internal networks. It also prevents them from using VPN.
    80 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following