+ Post New Thread
Results 1 to 9 of 9
Wired Networks Thread, ProCurve, help with VLAN, ACL ! in Technical; Hi. Related to a post in a specific broadband consortium forum, so I apologise but I need to get a ...
  1. #1

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    879
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42

    ProCurve, help with VLAN, ACL !

    Hi.
    Related to a post in a specific broadband consortium forum, so I apologise but I need to get a broader audience on this one.

    I've setup a VLAN for BYOD devices on our network and this is working well with the new transparent proxy service that SWGfL are offering. Obviously I want these devices completely serparated from the main network hence on their own VLAN and that's working nicely. The issue being is that these devices need to access two servers on the main VLAN (E-Mail and VLE). I was going to be a bit lazy and just let them type in the normal external address of these servers which then means traffic sort of goes out and comes back in again but it doesn't work because of the DNS setup. The DNS servers I'm using are SWGfL Servers which resolves a request for our frog server as the internal IP address, which makes sense as it even though its internal on our network, its on a range within SWGfL on our main VLAN - which of course the BYOD vlan can't access. I should really set it up properly, because it makes sense, just I'm a little unsure on how to do it on the core switch as I believe it involves setting up a ACL.

    My understanding is that I need to allow this VLAN to access the other VLANs and then apply a ACL to only allow it to access to these two IP addresses on the main VLAN.

    I would really appreciate help in the commands needed to configure the switch (with a little explanation) so I can understand it all a bit better. Hope the above makes sense?

    Much appreciated in advance, will give lots of Thanks !

    Pete

  2. #2

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,800
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    Do you have management of the firewall? As it would be better to setup the rules on the gateway rather then the switches IMHO

  3. Thanks to glennda from:

    FragglePete (11th October 2012)

  4. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,080
    Thank Post
    853
    Thanked 2,677 Times in 2,271 Posts
    Blog Entries
    9
    Rep Power
    769
    Just have it all routable but instead of deny any any you just need to add an exception for the two addresses before the deny and maybe your local DNS so you can use the same mail.whatever.edu address to the ip addresses.

  5. Thanks to SYNACK from:

    FragglePete (11th October 2012)

  6. #4

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    879
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    Quote Originally Posted by glennda View Post
    Do you have management of the firewall? As it would be better to setup the rules on the gateway rather then the switches IMHO
    No Management of the Firewall, we're part of SWGfL. Swindon schools are a bit of an oddity with the setup as well, as the bearer goes to the LEA central hub and then is squirted out to schools via Point to Point Wi-Fi links. Don't really want things going out and back in across this anyway.

    Pete

  7. #5

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    879
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    Quote Originally Posted by SYNACK View Post
    Just have it all routable but instead of deny any any you just need to add an exception for the two addresses before the deny and maybe your local DNS so you can use the same mail.whatever.edu address to the ip addresses.
    Ok - but need help putting that into practice.

    The BYOD VLAN is using the SWGfL DNS Servers, don't want them accessing the DNS servers of the main VLAN.

    Pete

  8. #6

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,800
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    Quote Originally Posted by FragglePete View Post
    No Management of the Firewall, we're part of SWGfL. Swindon schools are a bit of an oddity with the setup as well, as the bearer goes to the LEA central hub and then is squirted out to schools via Point to Point Wi-Fi links. Don't really want things going out and back in across this anyway.

    Pete
    fair enough - then yes you need to setup the ACL's - let me lookup the config and I'll post back. Just going into a meeting and then i'll look.

  9. Thanks to glennda from:

    FragglePete (11th October 2012)

  10. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,080
    Thank Post
    853
    Thanked 2,677 Times in 2,271 Posts
    Blog Entries
    9
    Rep Power
    769
    Quote Originally Posted by FragglePete View Post
    Ok - but need help putting that into practice.

    The BYOD VLAN is using the SWGfL DNS Servers, don't want them accessing the DNS servers of the main VLAN.

    Pete
    If you are not going to tamper with the DNS then you will end up needing to use different addresses/IPs for infernal vs external access. Even if you just setup a simple isolated DNS server that just holds the records of what you need to override and refers up to the SW---- server. You can have it right on the BYOD VLAN and it will save you massive hassle in the long run, otherwise you are building a big pile of problem that you will have to deal with in the future if you have no control over the upstream DNS and don't want to bounce traffic.

  11. #8

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    879
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    Quote Originally Posted by SYNACK View Post
    If you are not going to tamper with the DNS then you will end up needing to use different addresses/IPs for infernal vs external access. Even if you just setup a simple isolated DNS server that just holds the records of what you need to override and refers up to the SW---- server. You can have it right on the BYOD VLAN and it will save you massive hassle in the long run, otherwise you are building a big pile of problem that you will have to deal with in the future if you have no control over the upstream DNS and don't want to bounce traffic.
    Appreciated - but when connected to the BYOD network/VLAN, the IP address resolved of the VLE server is the address of the server on the main VLAN. I'm trying to keep it simple but not introducing additional boxes to do stuff like DNS, NAT or whatever. We're sitting the BYOD devices on our secondary range of IP address allocated to us that we've never used. I'm want to keep it simple but saying to the core switch; if devices wants to go to IP address X you'll find it over there on the other VLAN but don't let them access anything else.

    Pete

  12. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,080
    Thank Post
    853
    Thanked 2,677 Times in 2,271 Posts
    Blog Entries
    9
    Rep Power
    769
    HP Procurve J9310A - 3 VLAN's with Access List: HP Procurve Access list, vlan acl

    I think the actual config commands are something like this, the ACLs look to be applied by VLAN name, in this the first one allows traffic for the local vlan addresses. You'll want to look the commands up in the CLU though.

    ip access-list extended "PLATE"
    10 permit ip 172.20.20.0 0.0.1.255 172.20.20.0 0.0.1.255
    20 permit ip 172.20.20.0 0.0.1.255 192.168.3.249 0.0.0.0
    30 deny ip 172.20.20.0 0.0.1.255 10.0.0.0 0.255.255.255
    40 deny ip 172.20.20.0 0.0.1.255 172.16.0.0 0.0.15.255
    50 deny ip 172.20.20.0 0.0.1.255 192.168.0.0 0.0.255.255
    60 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit


    vlan 192
    name "PRECISION"
    ip address 192.168.3.248 255.255.255.0
    tagged 23
    exit

    As to the simple bit, having a box to do this is in aid of making it more simple and having to rewrite/mess with conflicting information is going to give you a headache. That said you 'may' be able to use nat to basterdise the VLE IP into the internal mail IP but this is a rubbish solution as it stops you if you actually do want to use the VLE from the BYOD VLAN.

    The other solution is to get SW--- to fix their DNS so that stuff resolves the way you need it to.

  13. Thanks to SYNACK from:

    FragglePete (11th October 2012)

SHARE:
+ Post New Thread

Similar Threads

  1. BYOD VLAN - Some help with VLAN tagging please
    By robknowles in forum Wired Networks
    Replies: 1
    Last Post: 8th September 2012, 09:03 AM
  2. Help with configuring DHCP with VLAN on procurve switch
    By chrisjako in forum Wired Networks
    Replies: 16
    Last Post: 3rd February 2012, 03:40 PM
  3. Help with VLANs
    By robbie-w in forum Wireless Networks
    Replies: 20
    Last Post: 17th April 2008, 02:15 PM
  4. A Few Things I Need Help With
    By Pear in forum Windows
    Replies: 11
    Last Post: 13th October 2005, 07:42 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •