We help IT Professionals succeed at work.

ProCurve 2920 Config

Hello All,
Wondering if I can get a little help on a config.  2 HP ProCurve switches that will be serving as an access layer switch and providing routing for a medium sized network.

Net will consist of 3 VLAN's - wired LAN, Private Wireless & Guest Wireless. AP's are SonicWALL ACe controlled by an SonicWALL NSA 2600.

I have pasted the config I have so far the problem I am having is creating the Guest Wireless VLAN.  Maybe its just late and I am having a weak moment but I am drawing a blank here. Thank you in advance to anyone that reads this and offers comments.

Running configuration:

; J9729A Configuration Editor; Created on release #WB.15.12.0015
; Ver #05:18.41.ff.35.0d:9b

hostname "........"
module 1 type j9729a
trunk 45-48 trk1 trunk
timesync sntp
sntp unicast
sntp server priority 1
time timezone -300
ip default-gateway
ip routing
snmp-server community "........." unrestricted
snmp-server contact ".............."
   ip address dhcp-bootp
router rip
   redistribute connected
vlan 1
   name "LAN"
   no untagged 13-17
   untagged 1-12,18-44,A1-A2,B1-B2,Trk1
   ip address
vlan 10
   name "Wireless"
   untagged 13-17
   tagged 1
   ip address
spanning-tree Trk1 priority 4
no tftp server
no dhcp config-file-update
password manager
Watch Question

Don JohnstonInstructor
Top Expert 2015

Can you elaborate on what the problem is?
Karsten JohnsonIT Systems Administrator


I am not sure how to create the 3rd VLAN and make sure it routes only to the WAN and cannot access the private networks.  I mean I know how to create the 3rd VLAN but how to tag the correct ports 13-17 on the new VLAN. Basically I have a base config to allow 2 VLANs (Private LAN and Wireless) its the guest network that is messing with me here.. Does that make sense? I am sure I am just over thinking this..
Top Expert 2015
This should give you an idea.  

IP address
name "Guest-Wireless"
untagged 20-30
tagged 1

Open in new window

This will have hosts on ports 20-30 and tag it on port 1.

Test this first. Then when you're sure it's working, add in the ACL to block traffic to the other VLANs.

ip access-list extended block-guest
 deny ip any
 deny ip any
 permit ip any any

vlan 20
 access-group block-guest in

Open in new window

Top Expert 2014
Just create the VLAN at the switch, tag it up to the Sonicwall on a new interface and configure the IP address for the Guest VLAN there.  There's no requirement for the Guest traffic to route across the network, so don't put an IP address on the switch.

Don's way will work too, but IMO it's less secure.