Wired Networks Thread, HP 5406zl VLAN Setup Query in Technical; A few staff want to use their personal laptops to gain internet access in school. Our IP address range is ...
5th December 2011, 12:39 PM #1
HP 5406zl VLAN Setup Query
A few staff want to use their personal laptops to gain internet access in school. Our IP address range is 172.x.x.1 - 172.x.x.254 and the subnet mask is 255.255.255.0 and we have 2 x 5604zl switches.
How would I go about creating a VLAN so that when staff plug in their laptops they don't get any of our IP address range, or be able to see any of the network, but instead get a different IP address range with internet access only?
Can anyone help? I'm assuming a VLAN is needed for this.
5th December 2011, 12:58 PM #2
In order ot be able to do it when they connect via wired ethernet I am guessing you'd probably need some form of nac enforcement, to enable this for wireless access then you would provide an alternative ssid that is part of a vlan.
5th December 2011, 01:33 PM #3
As plexer has mentioned a wireless provision with a separate SSID for personal laptops would be my preferred option (and easier if you had the correct kit of course) and is what we do ourselves.
With a hardwired route, unless you are going to allocate specific network points for the personal laptops, you would have to look into dynamic VLAN'ing. Whereby the device is initially authenticated (by RADIUS/NAC) and then that port is assigned to a specific VLAN for connectivity. (I've not done this, fixed VLANs here). This would also involve you configuring every other network switch accordingly (and assigning trunk ports - the ports that physically link each switch to one another). In turn you would have to create a DHCP scope based on your allocated IP address range, and also configure a DHCP IP Helper.
Alternatively, you may be able to use RADIUS/NAC to authenticate and (using ACL) only allow access to certain IP addresses (e.g. proxy server, internet gateway etc.)
Again, I’ve not used RADIUS/NAC, but I’m sure others have and will add to this.
5th December 2011, 01:52 PM #4
Currently we have no wireless infrastructure in place so we have to resort to the hard wired route. Understandably I will need to create a new DHCP scope for this but this won't be an issue. That said, staff will only want to use their laptops in 3 designated rooms - staff room, library and another room assigned to teachers for their PPA time.
Once I have figured out which network points they will use and what ports they connect to in the switch, I will just need to set up a VLAN. Can a RADIUS/ISA/NAC be avoided if VLAN is used or would they both need to be configured?
5th December 2011, 02:26 PM #5
Without nac what's to stop them just plugging their laptop into any old network point and getting access to your whole network and infecting it?
5th December 2011, 02:28 PM #6
If you have a vlan then you can setup access lists to isolate that vlan from the rest of the network so you would not radius etc.
5th December 2011, 02:53 PM #7
I have NAC enabled on my current scope so that only school brought laptops and desktops have access to the network. I even have a list of all the MAC addresses in the 'allow' list. Anyways, my query is to get personal laptops on the network with internet access only.
Originally Posted by plexer
How would I go about instigating the whole set up of a VLAN? I can't find any guides that are simple to allow me to do this.
Originally Posted by maark
So far I have created a VLAN called "Guest" and then I just hit a brick wall.
5th December 2011, 03:10 PM #8
I used manuals from HP and searched on edugeek fourms.
Basically you create the vlans on your core switches (5604s) and create vlans with same number on other connected switches.
Make sure the ports that connect switches(uplinks) are tagged to that vlan on core and edge switaches. Then on the ports you want to force on to that vlan make them untagged. You have to configure gateway of vlan on core switch to match gateway in DHCP - also need to put ip-helper address on vlan via Cli command in telnet so that they can communicate with your dhcp server. When you can successfully get devices to pick up a ip address on the right scope and connect to internet then start thinking about access lists to restrict traffic.
5th December 2011, 03:42 PM #9
Maark, do you still have those manuals?
Can I have a look an your config report?
5th December 2011, 05:04 PM #10
I have sent you a pm with config - you can get manuals by searching on HP and looking for chapters on vlans
HP 5400 zl Switch Series*-* HP Business Support Center
6th December 2011, 02:28 PM #11
HI Maark, I never got the PM re config
By bcx in forum Wireless Networks
Last Post: 18th January 2011, 08:46 PM
By schoolittech in forum Network and Classroom Management
Last Post: 16th October 2009, 11:02 AM
By gloriousglenn in forum Hardware
Last Post: 18th December 2007, 07:10 PM
By Rattler in forum Wireless Networks
Last Post: 30th November 2007, 12:08 PM
By dezt in forum Wireless Networks
Last Post: 29th November 2006, 09:36 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)