M and MSM Series

Internet and Lan port on MSM controllers

Frequent Visitor

Internet and Lan port on MSM controllers

Please can somebody explain the following:


"what is the actual difference between the LAN and INTERNET ports on a MSM controller".


As per some documents only the internet port can be used for connectivity, Then what would be the need for an extra lan port ??


The word "INTERNET PORT" gives a signal that internet line can be directly inserted into it while the the lan port connects to the switch. Is this assumption right ?


Also when would you use both ports ?


I am also confused with the concept of tagging and untagging a port under multiple vlans. As per a guide TAGGING is equal to trunk port on cisco switches and untagging is equal to a access port. Why would you need to tag and untag the same port under multiple vlans ?  What does it do ??


Please provide a detailed explaination.


Note # i have several HP config and management guides that do not explain these concepts clearly !!!!

Respected Contributor

Re: Internet and Lan port on MSM controllers

I have the same doubt

Respected Contributor

Re: Internet and Lan port on MSM controllers



Let's start from the VLAN tagging / trunking.


In the wired network the edge ports are generally untagged (PCs NICs don't understand dot1q), the inter-switch ports tagged to multiple VLANs. This allows you to separate traffic in different departments from each other for traffic management and security.For example barcode scanners in the warehouse do not need to reach your financial department resources, and marketing department doesn't need to reach the management interfaces of your devices. On the edge switches you would untag the edge device ports accordingly, depending on which department the user belongs to. The inter-switch links might be untagged on the device management VLAN, and to allow other VLAN traffic through these ports you would tag them on the other VLANs.


"As per some documents only the internet port can be used for connectivity"


I don't know where this comes from, but it's plain incorrect. You can use either port alone, or both.


The traffic between these two ports is routed. By deafult Internet interface is in DHCP Client mode, LAN interface assumes default IP address You can change these once you get access to the device, but please note that you shouldn't use subnet on the Internet side - it's deeply associated with LAN interface.


Controllers have a built-in Firewall. Traffic that flows out through the Internet port will be firewalled, traffic out of LAN port won't. You can also NAT the traffic on the Internet VLAN.


To give you an example of LAN and Internet port usage let's assume the following scenario:


- You have three departments, and have separated the traffic in the wired LAN to VLANs:

    - device management (VLAN 1)

    - warehouse (VLAN 2)

    - marketing (VLAN 3)

    - management (VLAN 4)

    - you provide Internet access to all departments on VLAN 10.


You need to provide wireless access to all departments with minimal changes to the current setup. Additionally you need to provide wireless access to guests. Employees accessing the network wirelessly must be able to reach the same resources as they get when they access through the wire, and guests are only allowed to access the Internet. You could do the following:


- Create a new VLAN 20 on the wired side for wireless device management, including mgmt traffic between

   APs and controller - do not put a DHCP server or enable DHCP relay on this VLAN

- Connect LAN port and all AP ports to switch ports which are Untagged on VLAN 20, and tagged on VLANs 2-4

- Enable the DHCP server on global level in the controller

    - The APs will receive IP addresses from the controller's global DHCP server on VLAN 20


- For warehouse employees:

    - Create VLAN 2 on the controller

    - Configure a non-Access Controlled, non-Authenticating VSC

    - In the VSC binding egress Warehouse VSC to VLAN 2

    - Because the VLAN exists on the controller and there's a VSC binding, the AP port will be tagged on VLAN 2 (this

       is why the switch port must also be tagged on this VLAN)

    - Since the VSC is non-AC, the traffic will be sent directly from the AP LAN port to VLAN 2 on the wired network

    - The warehouse employee devices will receive IP addresses from the same DHCP server on VLAN 2

       that is used for the wired devices

    - The devices will have the same Default GW as the wired devices

    - The warehouse employees will be authenticated the same way they would authenticate on the wired LAN

- Configure the other two employee VSCs the same way


- For guests:

    - Create an Access-Controlled, Authenticating VSC on the controller

    - Create a DHCP server in the Guest VSC

    - Connect the Internet port to a switch port which is Untagged in VLAN 10

    - Configure controller's Default Route and DNS to the Internet router in VLAN 10

    - The guest devices will receive IP addresses directly from the controller

    - The controller will become the Default GW for the guest devices, and provide DNS service

    - Guests will be authenticated on the controller

    - Since the VSC is AC, guest traffic will be tunneled to the controller, which will NAT it according to the routing table

       through the Internet port directly to VLAN 10

    - Since there is no Guest VLAN in the wired network, the guests will have no access to the intranet resources

       (except if the Internet router is configured to do it)


If you create the VSCs using the Wizard, this is pretty much how the configuration will look like.


HPE Networking Engineer