topic Re: Yet another issue with msm 730 - 760 guest access and Vlan Configuration in M and MSM Series

Yet another issue with msm 730 - 760 guest access and Vlan Configuration

Poilou — Mon, 02 Dec 2013 03:16:30 GMT

Hi HP MSM's mates.

Since a few weeks (or month) we try to add a guest access to our existing wireless configuration :

MSM730 controlller
Few AP's connected on the lan port into a specific VLAN on the switche(s) (unttaged)
Hp PoE switches
2 VSC each egressed to a different vlan on internet port :
First VSC = business > egressed to vlan 2 on the internet port with an ip adress > this internet port connected to a firewall on vlan 2 to connect to the rest of the network
Second VCS = guest > egressed to vlan 4 on the internet port with an ip adress > internet port connected to the same firewall / routeur on the vlan 4 to connect to map to the internet.

Specials options on the MSM :

Expand Internet port subnet to the Lan Port
Dhcp relay on each VSC, redirecting each VSC to 2 different dhcp server. IP adressing works fine.
Access control enabled on each VSC.

With this configuration we can connect to each VSC an obtain the good IP adress and association.

You can ping controller vlan on the internet port and firewall vlan port.

1- Does this configuration seems to be correct for you?

2- The lan port seems to doing route job beetween the two VLAN (and then between the two VSC). So even if a client of one VSC can't ping a client on the other VSC, I'm suprised to see that a client associated on a VSC can ping the VLAN port of the other VSC. The Vlans dont's seems to be completely isolated.

3- How do you configure the routing table to permit to the two VSC clients to be routed to the good place on the firewall ?

I hope this is not too confusing. I can give additionnal informations on demand. Thanks in advance.

P.S : If I completely mismatch the good configuration could you suggest me the good one? Bye

P.S. This thread has been moved from Communications, Wireless (Legacy ITRC forum) to MSM Series. - Hp Forum Moderator

Re: Yet another issue with msm 730 - 760 guest access and Vlan Configuration

Poilou — Fri, 05 Aug 2011 13:02:02 GMT

I answer to myself, but unfortunately not to tell you that I solved my problem.

I really don't understand WHY my two Vlans aren't perfectly isolated.

A user connected to a VSC egressed to a Vlan X can ping the adress of the internet port of MSM VLAN's Y !
That certainly the reason why I can't put two routes in the routing table. I'd like to put one route per vlan, but this, as we can guess, crash the controller management interface. (the packets don't know which route to use).
Ho can I correctly isolate my two Vlans??? (or where do I make a network mistake?)

Any help would be fully appreciated...

Poilou

Re: Yet another issue with msm 730 - 760 guest access and Vlan Configuration

Poilou — Mon, 08 Aug 2011 15:32:41 GMT

Another try, another problem :

I really don't know how to isolate (separate) traffic between two VSC. No success with Vlan configuration, no success without.

I don't find how to make the internal firewall works, because it controls the internet port and all trafic follow the bridge port to communicate inter-vsc.

Even with the "Allow traffic between "no" Wireless clients", my public clients ping the workers clients.

No one?

Re: Yet another issue with msm 730 - 760 guest access and Vlan Configuration

MSMenthousiast — Fri, 11 Nov 2011 13:58:50 GMT

maybe your switch is routing or your firewall is routing