HPE Community
M and MSM Series
1752664 Members
5773 Online
108788 Solutions
New Discussion

MSM 720 Guest network

 
mitchellm203
New Member

‎03-08-2017 04:42 AM

‎03-08-2017 04:42 AM

MSM 720 Guest network

I have been racking my brain for well over a week now trying to figure out how to segregate guest network using a HP MSM720 and creating 2 SSIDs guest and employee. 


Right now both networks DHCP are working correctly on both wifi networks and both have access to the interent while pulling seperate network IPs. Employee 10.0.11.0/24 vlan 1 and guest 10.0.12.0/24 vlan 12. I am not a network expert, but i cannot figure out how to segregate the two meaning i shouldnt be on the guest network and be able to access IP addresses on the employee network.

I have 20 APs, which connect to a unmanged HP switches connected to that same switch is my HP controller. The switch then connects back to my Dell Sonicwall firewall/router. 

I dont know where else to turn other than calling HP and hoping they can help me out. 

 

0 Kudos
3 REPLIES 3
mitchellm203
New Member

‎03-08-2017 04:57 AM

‎03-08-2017 04:57 AM

Re: MSM 720 Guest network

If i turn the the egress from default to the vlan id 12 on my guest network i cannot access my main 10.0.10.0/24 network however i can access the 10.0.11.0/24 network and with changing that egress mapping i also lose access to the wlan.

0 Kudos
mitchellm203
New Member

‎03-08-2017 08:32 AM

‎03-08-2017 08:32 AM

Re: MSM 720 Guest network

As it looks now, one port is configured for all vlan traffic, so i dont know if this is correct, if one AP is broadcasting 2 networks, the port that that AP connects to would have to allow traffic both ways i would think. In this case i really dont know how to seperate both networks. If i had seperate hardware it would be simple and I could truly assign seperate vlans to two ports which would only allow traffic in a direction i wanted it to go along with keeping traffic from vlan 10 off of the vlan 12 network. This isnt the case with HP. Really wish my company could afford CISCO.

0 Kudos
Arimo
Respected Contributor

‎03-17-2017 04:44 AM

‎03-17-2017 04:44 AM

Re: MSM 720 Guest network

This is the first problem:

"I have 20 APs, which connect to a unmanged HP switches connected to that same switch is my HP controller."

Unmanaged switches don't do VLANs. Your network management and user traffic are all running in the same flat L2 LAN.

I'd suggest first of all upgrading to 6.6.5. Then connect one of the MSM Internet interfaces to your firewall, and use the Automated workflows to create your employee and guest VSCs. By default:

  • The Employee VSC will be configured for Authentication, and egressing user traffic directly from the AP ports. The employee wirless traffic will be handled on the wire side exactly the same way as employee wired traffic.
  • Guest VSC traffic will be egressing out from the Internet interface, thus your guest and internal user traffic are separated.

Then you just need to ensure that the firewall isn't routing between the guest and internal networks. This obviously assumes that the firewall has at least two LAN interfaces (one for the LAN, one for the controller's Internet interface), and understands dot1q VLANs.

I'm not sure what you mean by "the port that the AP connects would have to allow traffic both ways". TCP/IP traffic in general is bidirectional, there are requests and responses. If your network port would allow only unidirectional connectivity, your client, be that wired or wireless, would not be able to use any network resources at all.

The only way to separate two L2 networks is either separate them physically using dedicated hardware for each LAN segment, or dot1q-capable hardware which allows you to use VLANs to separate the networks on Layer 2 level; and use a router to allow/disallow traffic between the LAN segments as desired. None of this is manufacturer-dependent, this is the way TCP/IP networks are designed to work.


HTH,

Arimo
HPE Networking Engineer
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.