+ Post New Thread
Results 1 to 11 of 11
Wired Networks Thread, HP 5406zl VLAN Setup Query in Technical; A few staff want to use their personal laptops to gain internet access in school. Our IP address range is ...
  1. #1

    Join Date
    Jun 2008
    Posts
    719
    Thank Post
    118
    Thanked 64 Times in 52 Posts
    Rep Power
    31

    HP 5406zl VLAN Setup Query

    A few staff want to use their personal laptops to gain internet access in school. Our IP address range is 172.x.x.1 - 172.x.x.254 and the subnet mask is 255.255.255.0 and we have 2 x 5604zl switches.

    How would I go about creating a VLAN so that when staff plug in their laptops they don't get any of our IP address range, or be able to see any of the network, but instead get a different IP address range with internet access only?

    Can anyone help? I'm assuming a VLAN is needed for this.

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,713
    Thank Post
    667
    Thanked 1,636 Times in 1,462 Posts
    Rep Power
    424
    In order ot be able to do it when they connect via wired ethernet I am guessing you'd probably need some form of nac enforcement, to enable this for wireless access then you would provide an alternative ssid that is part of a vlan.

    Ben

  3. #3

    Join Date
    Dec 2007
    Posts
    872
    Thank Post
    90
    Thanked 165 Times in 140 Posts
    Rep Power
    49
    As plexer has mentioned a wireless provision with a separate SSID for personal laptops would be my preferred option (and easier if you had the correct kit of course) and is what we do ourselves.

    With a hardwired route, unless you are going to allocate specific network points for the personal laptops, you would have to look into dynamic VLAN'ing. Whereby the device is initially authenticated (by RADIUS/NAC) and then that port is assigned to a specific VLAN for connectivity. (I've not done this, fixed VLANs here). This would also involve you configuring every other network switch accordingly (and assigning trunk ports - the ports that physically link each switch to one another). In turn you would have to create a DHCP scope based on your allocated IP address range, and also configure a DHCP IP Helper.

    Alternatively, you may be able to use RADIUS/NAC to authenticate and (using ACL) only allow access to certain IP addresses (e.g. proxy server, internet gateway etc.)

    Again, I’ve not used RADIUS/NAC, but I’m sure others have and will add to this.

  4. #4

    Join Date
    Jun 2008
    Posts
    719
    Thank Post
    118
    Thanked 64 Times in 52 Posts
    Rep Power
    31
    Currently we have no wireless infrastructure in place so we have to resort to the hard wired route. Understandably I will need to create a new DHCP scope for this but this won't be an issue. That said, staff will only want to use their laptops in 3 designated rooms - staff room, library and another room assigned to teachers for their PPA time.

    Once I have figured out which network points they will use and what ports they connect to in the switch, I will just need to set up a VLAN. Can a RADIUS/ISA/NAC be avoided if VLAN is used or would they both need to be configured?

  5. #5

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,713
    Thank Post
    667
    Thanked 1,636 Times in 1,462 Posts
    Rep Power
    424
    Without nac what's to stop them just plugging their laptop into any old network point and getting access to your whole network and infecting it?

    Ben

  6. #6
    maark's Avatar
    Join Date
    Feb 2006
    Location
    leicester
    Posts
    474
    Thank Post
    90
    Thanked 74 Times in 66 Posts
    Rep Power
    38
    If you have a vlan then you can setup access lists to isolate that vlan from the rest of the network so you would not radius etc.

  7. #7

    Join Date
    Jun 2008
    Posts
    719
    Thank Post
    118
    Thanked 64 Times in 52 Posts
    Rep Power
    31
    Quote Originally Posted by plexer View Post
    Without nac what's to stop them just plugging their laptop into any old network point and getting access to your whole network and infecting it?

    Ben
    I have NAC enabled on my current scope so that only school brought laptops and desktops have access to the network. I even have a list of all the MAC addresses in the 'allow' list. Anyways, my query is to get personal laptops on the network with internet access only.



    Quote Originally Posted by maark View Post
    If you have a vlan then you can setup access lists to isolate that vlan from the rest of the network so you would not radius etc.
    How would I go about instigating the whole set up of a VLAN? I can't find any guides that are simple to allow me to do this.

    So far I have created a VLAN called "Guest" and then I just hit a brick wall.

  8. #8
    maark's Avatar
    Join Date
    Feb 2006
    Location
    leicester
    Posts
    474
    Thank Post
    90
    Thanked 74 Times in 66 Posts
    Rep Power
    38
    I used manuals from HP and searched on edugeek fourms.
    Basically you create the vlans on your core switches (5604s) and create vlans with same number on other connected switches.
    Make sure the ports that connect switches(uplinks) are tagged to that vlan on core and edge switaches. Then on the ports you want to force on to that vlan make them untagged. You have to configure gateway of vlan on core switch to match gateway in DHCP - also need to put ip-helper address on vlan via Cli command in telnet so that they can communicate with your dhcp server. When you can successfully get devices to pick up a ip address on the right scope and connect to internet then start thinking about access lists to restrict traffic.

  9. #9

    Join Date
    Jun 2008
    Posts
    719
    Thank Post
    118
    Thanked 64 Times in 52 Posts
    Rep Power
    31
    Maark, do you still have those manuals?

    Can I have a look an your config report?

  10. #10
    maark's Avatar
    Join Date
    Feb 2006
    Location
    leicester
    Posts
    474
    Thank Post
    90
    Thanked 74 Times in 66 Posts
    Rep Power
    38
    I have sent you a pm with config - you can get manuals by searching on HP and looking for chapters on vlans
    HP 5400 zl Switch Series*-* HP Business Support Center

  11. #11

    Join Date
    Jun 2008
    Posts
    719
    Thank Post
    118
    Thanked 64 Times in 52 Posts
    Rep Power
    31
    HI Maark, I never got the PM re config

SHARE:
+ Post New Thread

Similar Threads

  1. 3com simple vlan setup
    By bcx in forum Wireless Networks
    Replies: 6
    Last Post: 18th January 2011, 07:46 PM
  2. student VLAN setup HP procurve 2510/24
    By schoolittech in forum Network and Classroom Management
    Replies: 2
    Last Post: 16th October 2009, 10:02 AM
  3. Projector Setup Query
    By gloriousglenn in forum Hardware
    Replies: 7
    Last Post: 18th December 2007, 06:10 PM
  4. Multiple VLAN setup on network
    By Rattler in forum Wireless Networks
    Replies: 9
    Last Post: 30th November 2007, 11:08 AM
  5. VLAN setup
    By dezt in forum Wireless Networks
    Replies: 4
    Last Post: 29th November 2006, 08:36 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •