M and MSM Series
1748194 Members
3992 Online
108759 Solutions
New Discussion

Re: VSC to VLAN mapping on MSM765ZL Confussion

 
AndrewB732
New Member

VSC to VLAN mapping on MSM765ZL Confussion

Hello, I hope you can help!

 

My previous experience with a 765ZL controller was 4-5 years ago.  Back then you could define a VLAN for the LAN and Internet ethernet ports on the controller, tag the coresponding port on the switch, and then assign an SSID network to utilize each port.  This allowed for a very simple segmentation of wireless networks to VLAN's.

 

I'm trying to setup a new MSM version and running into confusion.  Here's the goal:

 

3 different VLAN segmented networks tagged 1, 2, and 3.  Our wired network already has these networks successfully segmented and tagged.  I want three VSC's (SSID's) to  each point to those networks via eggress mapping.  One of the networks is to be wide open for internet access and is connected to a DMZ.  The other two are separate private networks with different subnets, gateways, etc. 

 

So far all I can do is create the three VSC's with appropriate security and connect to them.  They all allow access to the default VLAN (1) network, and receive DHCP on that VLAN.  No matter what I try though -- I've created the network ports and assigned the VLAN ID's to them.  Gone into the switch settings and tagged switch ports in each VLAN, attempted to set Egress mappings on the Group VSC Bindings -- it won't let me connect to any other VLAN's over a wireless network.

 

At least two of these networks need to be without Authentication or Access Control.

 

I know this is a complicated question, but thought maybe someone has a decently quick answer to where I'm going wrong logically on this scenario. 

 

Thanks,

 

Andrew

7 REPLIES 7
DougB-CCCP
Frequent Advisor

Re: VSC to VLAN mapping on MSM765ZL Confussion

Which version of code are you running on the controller? 

 

If it's the newer 5.5.x code, you'll need to create a network profile for the specific VLAN, making sure you check the 'VLAN' box and enter the VLAN number.  Then on the egress settings for the group binding, choose that network profile and it should work as long as you have 'untagged' on VLAN1 and 'tagged' on VLAN 2 and 3.

----------------
HP ASE (Mobility), Infrastructure Engineer
Stuggi
Advisor

Re: VSC to VLAN mapping on MSM765ZL Confussion

Hi, I tried the same scheme with an MSM710 and MSM430 APs, and I got this error when I tried to bind the guest VSC to the untagged internet port interface.

 

Untagged network can only be selected when VSC has mobility enabled with mobility traffic manager option.

C0LDWiR3D
Frequent Advisor

Re: VSC to VLAN mapping on MSM765ZL Confussion

Spoiler
 

Hi,

 

the Binding on the AP groups are for Local Switching VLAN on the APs.

VSC Egress are for Access Controlled (AC) / Tunelled Client Data.

 

However, I cannot make it work like the documentation claims.

scottdoorey
Occasional Advisor

Re: VSC to VLAN mapping on MSM765ZL Confussion

Hi,

 

i've also had this problem trying to setup an auhenticated SSID to bridge to a vlan on the internet port. Did you have any luck with this?

 

I'm using 5.7 on a 720

 

Scott

Richard Litchfield
Respected Contributor

Re: VSC to VLAN mapping on MSM765ZL Confussion

Maybe you can try your 3 VSCs binding to the 3 preconfigured network profiles via the Internet port only (ignore the LAN port for now). I usually find it easier to start with the most simple config and add features in (like auth) as it makes troubleshooting much easier.

 

It sounds like 2 are connected without access control and one is an access-controlled VSC?

 

Even though you have the premium mobility licence, you probably don't want to use MTM - that is another complicating factor.

Aarón
Frequent Advisor

Re: VSC to VLAN mapping on MSM765ZL Confussion

Hello Andrew,

 

I suppose you already found the solution but just in case I want to share our configuration. We have our wireless network segmented by a VLAN per building and tagged on to the Internet port of the controller. All this using Controlled AP groups to delimit what APs are from which building.

 

The VSC configuration is the following:

 

  • Authentication enabled
  • In VSC Ingress mapping: SSID
  • Virtual AP enabled with default configuration
  • Wireless mobility enabled -> Mobility traffic manager -> Block User

Then in Network -> Network profile create the new profile with the VLAN ID needed, in Network -> Ports -> Add new vlan in the Internet port.

 

After this you can create the Controlled AP Groups you need and use it to egress which VSC you want. For this go to the Group -> VSC Bindings -> Add new binding -> choose the VSC Profile defined earlier and in Egress Network the network profile (VLAN) you want to use.

 

 

All this is explained in the manual "E-MSM7xx Controllers Management and Configuration Guide v5.5.0", chapter 9, "Scenario 2: Centralized traffic on a controller".

 

 

Cheers,

 

Aarón

monitorizacao
Visitor

Re: VSC to VLAN mapping on MSM765ZL Confussion

Thanks, Aarón.

You said that it is in the manual, and I read it, but didn't connect the dots until I saw your post.

 

So, thank you