Jump to content

How do I use the custom filters on a WAP, MAP, MSM 310, 320 325 ?

  • PrintPrint
AskProCurve Article
Title:
HP ProCurve / Colubris - How do I use the custom filters on a WAP, MAP, MSM 310, 320 325?
Available Part Numbers:
JJ9356A HP E-MSM335 Access Point (US),J9356B HP E-MSM335 Access Point (US),J9357A HP E-MSM335 Access Point (WW),J9357B HP E-MSM335 Access Point (WW),J9358A HP E-MSM422 Access Point (US),J9358B HP E-MSM422 Access Point (US),J9359A HP E-MSM422 Access Point (WW),J9359B HP E-MSM422 Access Point (WW),J9360A HP E-MSM320 Access Point (US),J9360B HP E-MSM320 Access Point (US),J9364A HP E-MSM320 Access Point (WW),J9364B HP E-MSM320 Access Point (WW),J9365A HP E-MSM320-R Access Point (US),J9365B HP E-MSM320-R Access Point (US),J9368A HP E-MSM320-R Access Point (WW),J9368B HP E-MSM320-R Access Point (WW),J9369A HP E-MSM325 Access Point (US),J9369B HP E-MSM325 Access Point (US),J9373A HP E-MSM325 Access Point (WW),J9373B HP E-MSM325 Access Point (WW),J9374A HP E-MSM310 Access Point (US),J9374B HP E-MSM310 Access Point (US),J9379A HP E-MSM310 Access Point (WW),J9379B HP E-MSM310 Access Point (WW),J9380A HP E-MSM310-R Access Point (US),J9380B HP E-MSM310-R Access Point (US),J9383A HP E-MSM310-R Access Point (WW),J9383B HP E-MSM310-R Access Point (WW),J9385A HP E-M110 Access Point (US),J9385B HP E-M110 Access Point (US),J9388A HP E-M110 Access Point (WW),J9388B HP E-M110 Access Point (WW),J9392A HP MAP-320 Alstom Access Point,J9426A HP E-MSM410 Access Point (US),J9426B HP E-MSM410 Access Point (US),J9427A HP E-MSM410 Access Point (WW),J9427B HP E-MSM410 Access Point (WW),J9524A HP E-MSM310 Access Point (JP),J9524B HP E-MSM310 Access Point (JP),J9527A HP E-MSM320 Access Point (JP),J9527B HP E-MSM320 Access Point (JP),J9528A HP E-MSM320-R Access Point (JP),J9528B HP E-MSM320-R Access Point (JP),J9529A HP E-MSM410 Access Point (JP),J9530A HP E-MSM422 Access Point (JP),J9530B HP E-MSM422 Access Point (JP),J9616A HP E-MSM410 Single Radio 802.11n AP (IL)
Issue Description:
The HP ProCurve / Colubris WAP200s,MAP320s, MAP330s, MSM310, MSM320, MSM325 have the ability to create customized wireless filters that allow you to tailor what can be sent and received over the wireless interface.
NOTE: The custom filters are based on the TCPDUMP filter syntax. A good understanding of TCPDUMP is recommended before changing the default filter set.
Solution:
This example shows how a MAP in a corporate environment can provide guest access to the Internet only. In this example scenario, you have;
- A corporate network subnet of 10.10.10.0
- A DHCP server and DNS server
- An Internet gateway/router.
- WPA-PSK for guest users
- You're installing HP ProCurve/Colubris APs only and no Access Controller or Radius server.
- You want to create a VSC on your AP to provide guest users with access only to the Internet, using WPA with a pre-shared key.
- You do not want them having any access to the corporate 10.10.10.0 network, not even pings.
- The guest users will use the corporate DHCP and DNS services.
Log into the AP Admin Web and go to the first VSC profile. In the Wireless Security Filter section, select the Custom radio button. Clear the Inbound and Outbound fields and enter the following filter strings, (Omit the words "Inbound filter and Outbound filter);
Inbound filter: (port 67) or (port 53) or arp or ether dst %g or (icmp and not dst net 10.10.10) or ether proto 0x888E
Outbound filter: (port 68) or (port 53) or arp or ether src %g or (icmp and not src net 10.10.10) or ether proto 0x888E
Let's review what each element does;
(port 67), (port 68) - These are the elements that permit DHCP requests and responses to pass.
(port 53) - This is element that lets DNS requests and responses pass.
arp - This element is needed in conjunction with DNS requests. If this is missing, then DNS will not work.
ether dst %g - This element uses the mac address of the configured default gateway, whether the gateway is leaned through DHCP or configured statically. It is this element that permits access to the Internet.
(icmp and not src net 10.10.10) - This compound element is used to prevent ICMP requests/responses from getting through on the 10.10.10.0 subnet only. Pings to the Internet will continue to work.
ether proto 0x888E - This element will permit EAP traffic to pass. This is needed for negotiating WPA-RADIUS or WPA-PSK. WEP is not affected and will work.
Inbound - This means packets that are going TO the MAP
Outbound - This means packets are coming FROM the MAP.
and - This means that both elements, (A and B), must be true
or - This means that either element, (A or B), must be true
not - This means the element is true, (not A), if it is not the same as the element
Please refer to the TCPdump online MAN page for more information;
Modified Date:
2010-10-22

HP Support forums

Find solutions and collaborate with others on the HP Support Forum
HP.comHP on FacebookHP on TwitterHP on YouTubeHP on Linked InHP on FlickrHP on Google+