Securing a New Wireless Setup!!!

[Domino]

so what you'll need is a static route from the VLAN to the netpilots address. I'm not familiar with the particular hardware so can't really tell you exactly how to do it

[keithu]

Athlona - we're running HP Procurves here and I'm happy to help you out, but you'll have to give more information about your current setup. Switch config and IP addresses at least.

[Athlona]

Hi

HP ProCurve 5406:-
5406.jpg

Netpilot:-
Netpilot.jpg

Hope this is enough?

[keithu]

That's good, but we also need the actual running config. If you click on the 'Diagnostics' tab on that first screen, then on the 'Configuration' button you should see it.

[Athlona]

Hi keithu

Please could you tell me which area of configuration you would like a screen grab off???

5406b.jpg

[keithu]

In that screenshot you're on the 'Configuration' tab (top of the screen). You need to click on the 'Diagnostics' tab, which is two tabs to the right. On the screen that comes up press the 'Configuration Report' button. The text which appears in the window is what we want, but it might be a bit long for a screenshot so you may have to copy and paste it.

It looks like this:

Running configuration:

; J4819A Configuration Editor; Created on release #E.10.02

hostname "Server Room - ProCurve 5308xl"
snmp-server location "A55"
max-vlans 40
connection-rate-filter sensitivity aggressive
mirror-port E14
module 1 type J4878B
module 4 type J4907A
module 2 type J4907A
module 3 type J4878B
module 5 type J4907A
module 7 type J4878B
blah, blah, blah.....

[Athlona]

Here it is:

Running configuration:

; J8697A Configuration Editor; Created on release #K.11.63

hostname "ProCurve Switch 5406zl"
snmp-server location "CORE Switch"
module 1 type J8702A
module 2 type J8702A
module 3 type J8705A
trunk C21-C22 Trk30 LACP
ip default-gateway 10.45.224.2
snmp-server community "public" Unrestricted
snmp-server host 10.45.224.231 "public"
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B24,C1-C20,C23-C24,Trk30
ip address 10.45.224.41 255.255.240.0
exit
vlan 50
name "VLAN50"
ip address 10.45.250.1 255.255.240.0
tagged A12
exit
spanning-tree Trk30 priority 4
password operator

[keithu]

That looks okay, but a couple of things jump out at me:

In VLAN50 you've defined the gateway address as 10.45.250.1 which is in the middle of the subnet. I would put it at 10.45.240.1 which is the first address. VLAN1 is similar too, but you may have your own reasons for that. It will still work as it is of course.

If you're testing with a laptop plugged into port A12 you'll probably want to set that port as untagged for now.

It looks like your main problem is defining a route between the laptop/access point and your proxy. On the laptop you need to make sure that its IP address is within the VLAN50 address range and its gateway address is 10.45.250.1 (or 10.45.240.1 if you change it). On the proxy you need to define a route to the VLAN50 subnet. Unfortunately I don't know anything about this proxy. Does it run on windows? Have you got admin access?

[Athlona]

Hi keithu many thanks for all your help, I have phoned our LA how are going to setup that static route to the proxy - vlan50...

Thanks Again

[keithu]

You're welcome

One thing you haven't mentioned is dhcp. If you want clients on vlan50 to use an existing dhcp server on vlan1 you'll have to define an 'ip helper'. To do that you log in to your switch and type the following at the command prompt:

config
vlan 50
ip helper-address <dhcp server address>
exit
wr mem


You'll then have to define a new dhcp scope for the vlan50 subnet on your existing dhcp server and add a static route from the dhcp server to vlan50.

[Athlona]

I have created a 2nd Scope on IP 10.45.250.0 but like you have pointed out its labeled as 10.45.240.0 strange!!! I will re-do it to the 10.45.240.0... Or i am better doing the ip helper...??? As it sounds like a better idea to me...

[keithu]

You have to define an ip-helper as well, otherwise the dhcp request packets from vlan50 will never reach your dhcp server. Don't forget to add a static route to the dhcp server too.