M and MSM Series
1748169 Members
4045 Online
108758 Solutions
New Discussion юеВ

Re: MSM 765zl Configuration

 
SOLVED
Go to solution
anthonymel_1
Advisor

MSM 765zl Configuration

Planning on setting up a team of these and I need some help with what I should do for the Guest WLAN.

Right now I am placing the controller and APs on my internal network (VLAN 1) which is 10.1.x.x. I crated VLAN 3 for guest wireless traffic for subnet 192.168.3.x. My switch is setup with an ip helper address on VLAN 3 and all works well when a client connects to a VLAN 3 port via the wired network.

So for my Guest VSC:
Authentication: Enabled
Security: HTTP Web Based User Log in
Access Control: Enabled
Client Client Data: Enabled
Egress Port: VLAN 3
DHCP Relay: Enabled
DHCP Relay Egress Port: VLAN 3

Does this make sense? I want the guest traffic to get out to the VLAN 3 network and then get an IP address from my internal DHCP server. After that I want the client on the Guest WLAN to be redirected to a HTTP login page.

The LAN port on the controller would be untagged 10.1.1.1 and VLAN 3 would be tagged via the LAN port with no IP. Should I do anything with the Internet port?

Please help!

 

 

P.S. This thread has been moved from Communications, Wireless (Legacy ITRC forum) to MSM Series.
-HP Forum Moderator

12 REPLIES 12
cenk sasmaztin
Honored Contributor

Re: MSM 765zl Configuration

good idea but impossible

because you want html authentication

welcome page on controller lan port from to guest user, therefore you must use lan port untagged state on vlan 3 (guest vlan)and all guest user default gateway address must have controller lan port

my solution
lan port connect guest network on untagged state switch port, all guest user connect (guest vsc)directly guest network with default group vsc binding for vlan 3
vlan 3 dhcp server must be on msm controller

all access point login to controller on internet port on different vlan for example vlan 2 ,vlan2 dhcp services corpare dhcp server all access point ip address take corpare dhcp server for controller connection, all corpare user connect different vsc to different vlan with default group vcs binding.

very easy
only necessary you to understand device deployment architechture







cenk

anthonymel_1
Advisor

Re: MSM 765zl Configuration

Thanks for your help but your English is very broken.

Also, this configuration will have two MSM765zl in a team. When in a team you can not use them as DHCP servers.

And from what I can understand from your reply, is to create an untagged VLAN 3 using the the LAN port. What I don't understand that since this is module in a 5412zl how do I leave it untagged or tagged for that matter?

Anyone else with a suggestion?
Kyle Massey
Advisor
Solution

Re: MSM 765zl Configuration

Since the guest traffic is tunnelled to the controller from the AP,and is not tagged at the AP, you will have to control the traffic at the MSM controller backplane ports. There is one for your Internet port (F1 if it is in module F) and one for the LAN port (F2). You will tag these ports for whatever VLANs you want to send your guest traffic to.

Typically I would setup the guest traffic to route out the Internet port directly to a reserved port on your firewall. Setup a subnet and assign a .1 to the Internet port and a .254 to your Firewall. You can provide DHCP via a dhcp relay to your firewall or to a internal DHCP server. Use the "Extend Internet Port subnet to LAN port" to alter the DHCP requests going to your DHCP server to show the .1 address of the Internet port as the router id. This will assign and address to clients in this range.

Setup a default route to your firewall over the internet port and an inside route to your internal router (10.0.0.0/8). The guest traffic will be the only traffic that routes over the MSM so you dont need any other routes. The inside route is really only so you can manage the MSM from other VLANs inside your network.

I hope this gets you going in the right direction.
www.traversasolutions.com;http://www.linkedin.com/pub/kyle-massey/22/23/126
anthonymel_1
Advisor

Re: MSM 765zl Configuration

Thank you!! This makes this so much clearer to understand now.

So I'll leave the LAN port untagged and tag the Internet port for my Guest VLAN (VLAN 3). Do I do the tagging in the controller or in the switch?

I'll just have the DHCP Relay go out my Internet port and have the the switch's IP helper on that VLAN handle the relay to the internal DHCP server. Is that ok?

So the default gateway for the controller would be on the VLAN 3 network of 192.168.3.x?

If I understand you correctly the secure clients will enter the network via the AP and will not be routed through the controller. Hence I don't have to worry about the default gateway being on another subnet?

Last where do I place the web site for authentication. Do I need to connect it to a port or does it happen inside the controller itself?

Thanks a lot again. Finally feeling confident about all this.
anthonymel_1
Advisor

Re: MSM 765zl Configuration

This may sound stupid but should I make the default gateway of my guest clients the controller IP? Right now I have it set for the firewall/router.
Kyle Massey
Advisor

Re: MSM 765zl Configuration


You will want to "untag" the internet port for your "internet" vlan. Set the internet port IP address on that VLAN as .1 and make sure your DHCP scope sets this as the clients default gateway (router id).

You then just need to put a default route to the internet vlans gateway on your firewall or switch..wherever it points.



The clients are actually tunneled through the client data tunnell from the AP to the controller and the traffic is handled from the controller, not the AP. The html site is on the controller and you just need to set the VSC for "Access control" and "html authentication".


Let me know if that gets you goin!

Kyle
www.traversasolutions.com;http://www.linkedin.com/pub/kyle-massey/22/23/126
anthonymel_1
Advisor

Re: MSM 765zl Configuration

So I guess I do the untagging on the 5412zl switch, like I would do for any other port?

Setup my DHCP scope for the guest to point the default gateway to the Internet port on the controller. Then setup a default route on the controller for the Internet port going to my Internet port's gateway.

For the guest VSC what should I set the egress port to? Default? or Internet port? Or do I set the egress port on the VSC binding page for my APs?

Let me say that your help has been tremendous. Do you have any other suggestions for me that you ran into in your setup?

Thanks again!
Kyle Massey
Advisor

Re: MSM 765zl Configuration

Yes you would just untag the port on the 5412. The 1st port is the internet port and port 2 is the lan. You can verify by mac address. 'sho mac f1'

Since the traffic is 'routed' at the controller for guests, there is no need to set an egress layer 2 vlan on the binding or vsc.

I usually setup the gateway for the internet port directly on a firewall so that it is completely segregated off the network. Also make sure you use public DNS servers on the controller DNS config, since guests will be using these to resolve internet queries.

Make sure when you setup your DHCP scope for guests to set the DNS server to the Internet port address of the MSM, since it will hijack all DNS requests.

Let me know if that works!
www.traversasolutions.com;http://www.linkedin.com/pub/kyle-massey/22/23/126
anthonymel_1
Advisor

Re: MSM 765zl Configuration

That will do just fine! Thanks for all your help! Greatly appreicated!