We help IT Professionals succeed at work.

ProCurve 2920 Config

Hello All,
Wondering if I can get a little help on a config.  2 HP ProCurve switches that will be serving as an access layer switch and providing routing for a medium sized network.

Net will consist of 3 VLAN's - wired LAN, Private Wireless & Guest Wireless. AP's are SonicWALL ACe controlled by an SonicWALL NSA 2600.

I have pasted the config I have so far the problem I am having is creating the Guest Wireless VLAN.  Maybe its just late and I am having a weak moment but I am drawing a blank here. Thank you in advance to anyone that reads this and offers comments.

Running configuration:

; J9729A Configuration Editor; Created on release #WB.15.12.0015
; Ver #05:18.41.ff.35.0d:9b

hostname "........"
module 1 type j9729a
trunk 45-48 trk1 trunk
timesync sntp
sntp unicast
sntp server priority 1 216.152.240.220
time timezone -300
ip default-gateway 192.168.0.240
ip routing
snmp-server community "........." unrestricted
snmp-server contact ".............."
oobm
   ip address dhcp-bootp
   exit
router rip
   redistribute connected
   enable
   exit
vlan 1
   name "LAN"
   no untagged 13-17
   untagged 1-12,18-44,A1-A2,B1-B2,Trk1
   ip address 192.168.0.2 255.255.255.0
   exit
vlan 10
   name "Wireless"
   untagged 13-17
   tagged 1
   ip address 172.16.10.2 255.255.255.0
   exit
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
password manager
Comment
Watch Question

Don JohnstonInstructor
Top Expert 2015

Commented:
Can you elaborate on what the problem is?
Karsten JohnsonIT Systems Administrator

Author

Commented:
I am not sure how to create the 3rd VLAN and make sure it routes only to the WAN and cannot access the private networks.  I mean I know how to create the 3rd VLAN but how to tag the correct ports 13-17 on the new VLAN. Basically I have a base config to allow 2 VLANs (Private LAN and Wireless) its the guest network that is messing with me here.. Does that make sense? I am sure I am just over thinking this..
Instructor
Top Expert 2015
Commented:
This should give you an idea.  

VLAN 20
IP address 192.168.20.1 255.255.255.0
name "Guest-Wireless"
untagged 20-30
tagged 1

Open in new window


This will have hosts on ports 20-30 and tag it on port 1.

Test this first. Then when you're sure it's working, add in the ACL to block traffic to the other VLANs.

ip access-list extended block-guest
 deny ip any  172.16.10.0 0.0.0.255
 deny ip any 192.168.0.0 0.0.0.255
 permit ip any any

vlan 20
 access-group block-guest in

Open in new window

Top Expert 2014
Commented:
Just create the VLAN at the switch, tag it up to the Sonicwall on a new interface and configure the IP address for the Guest VLAN there.  There's no requirement for the Guest traffic to route across the network, so don't put an IP address on the switch.

Don's way will work too, but IMO it's less secure.