Link to home
Create AccountLog in
Avatar of AdminAMT
AdminAMT

asked on

HP Procurve Switch configuration

Hello everyone.

I have a question concerning a setup I am trying to put together. We currently have free lance consultants who often come into the office with non-company laptops and would like internet access. We do not believe in letting rogue machines access our LAN without a scan of the machine (antivirus, spyware, etc). This is often time and resource consuming so what we would like to do is install a dedicated switch that these people could plug into and it would allow internet access only without seeing the rest of our LAN and resources.

Our network is 10.10.0.0/22 and our clients hit an ISA proxy before going out a PIX firewall. I would basically want the switch to communicate directly to the PIX to allow HTTP traffic out.

Currently all traffic is routed to 10.10.0.1 (head switch) then to the ISA (10.10.0.41) and out the PIX (10.10.0.250)

How can I configure this switch to basically forward internet traffic to our PIX.

I dont know where to start or if this is even feasible, I am a newb at this.

Any help would be greatly appreciated.

Feel free to respond with any information you need that I may have not included.

Thank you in advance.
Avatar of Nuno Martins
Nuno Martins
Flag of Portugal image

In this situatiuon you should use vlan´s.
if you whant to strength you solution you can also add ACL´S to your vlan.
Avatar of AdminAMT
AdminAMT

ASKER

Thanks for the comments.

I am not confortable using command line, so I am using the web interface. Would I basically assign the switch an IP, and give it the default gateway of the PIX? I imagine on the PIX, I would then just have to allow all http traffic coming from that switch to pass.
Avatar of Keith Alabaster
Hey Adam.

Depends on how far you want to go and how complicated you want it ot be.

At one end of the scale, you may want to consider simply installing a broadband connection and a wireless router. This way the consultants do not even have to touch your network. Maybe putting a PC or two on there also for staff to use at lunchtimes would eran you some brownie points with colleagues and you do not have to mess with your network at all.

Sounds like you have ISA in as a proxy only rather than a proxy/firewall so unfortuantely you cannot just add an additional NIC and blank them off that way.

You do not state the type of router/switch you have so cannot comment on vlan/802.1q options.

Hp Procurve Switch must be at layer 3 to support vlan´s configuration.
About the gateway yes you should difine the pix as the gateway

Hi,

Any chance you can put up what switch you are using, or more infrastructure details.  As already commented on there are variations in what can be suggested depending on  what your infrastructure is.  I implemented something similar a couple of months back to allow visiting 3rd parties access to the internet without being able to route to any other VLAN on our network and used a combination of of Procurve Identity Driven Manager and ACL's at the DG for the "Guest" VLAN.

Not knowing much about PIIX, but does it support 802.1q tagging on its LAN side interface that would allow you to truk mutiple VLAN's into it?
ASKER CERTIFIED SOLUTION
Avatar of s-j-morgan
s-j-morgan

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
DHCP: You can have diferente scopes runing for diferente vlan´s.
Using the ip helper-address comand on the switch.
example: http://tcpmag.com/qanda/article.asp?EditorialsID=336