M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

MSM720 Premium does not work properly on a segmented network

 
Highlighted
Fred_Mancen_1
Super Advisor

MSM720 Premium does not work properly on a segmented network

Hi all.

 

I am facing a problem with a MSM720 controller, regarding DHCP Server and IP leases to wireless supplicants.

 

My customer network is quite simple, with one vlan (default, VLAN ID 1) to the network devices and corporate users, and another VLAN to wireless guest users, in this case, VLAN ID 200. The controller have two ports connected to the core switch: port 5 with VLAN 1 assigned and port 6 with VLAN 200 assigned to it.

 

VLAN 1 subnet is 10.22.0.0/16

VLAN 200 subnet is 10.20.200.0/24

 

The controller is directly connected to the core switch (5500G-EI, 2 units XRN stack), that forwards all external traffic to an HSRP environment, which is connected to a router of a host service company. The VLAN 1 DHCP Server is hosted in this service hosting site, in a different subnet, and the DHCP Relay is performed by the core switch.

 

The DHCP Server of the VLAN 200 is performed by the core switch, and it's working fine when a client is attached to a Ethernet port on the controller but does not leases IP address when the same user tries to obtain an IP address on the guest wireless SSID.

 

The controller reaches all the IP addresses (routers and servers) and responds to these network devices IP addresses also. My customer needs the controller on the VLAN 1 and I cannot enable the DHCP Server on the controller, because there is already a server to its subnet in order to lease IP addresses to the corporate clients. That's why I'd enabled the DHCP Server on the core switch.

 

I already tried to create a mgmt VLAN with enabled DHCP Server on the mgmt and guest VLANs, but in this scenario the corporate users didn't get IP addresses. I tried also to tag the VLAN 200 on the edge switch ports where the APs are connected, tried to assign only VLAN 1, with and without local networks assigned on the APs of the group... But still unsuccessful.

 

The VSCs are created as the config guide suggests, the bindings are correct, with the egress VLAN assigned (guests = VLAN 200), the corporate users are getting IP addresses and authenticated on the AD server (that is the same that works as DHCP Server), the only thing that does not work is the DHCP service when a user is connecting to the guest VSC/SSID. The user simply does not get a valid IP address, but the requests came in the DHCP statistics on the core switch. It seems that the controller does not allow the users to get an IP address.

 

Do anyone has experience with a similar problem? Attached, there is a topology image of the environment.

Regards,
Fred Mancen
6 REPLIES 6
Highlighted
Fred_Mancen_1
Super Advisor

Re: MSM720 Premium does not work properly on a segmented network

Almost forget: the firmware version is 5.7.0.3 and the APs are MSM430 Dual Radio. The latest version didn't work well, with APs unsync constantly.
Regards,
Fred Mancen
Highlighted
Arimo
Respected Contributor

Re: MSM720 Premium does not work properly on a segmented network

Hi.

 

Using both Internet network ports but no Access network ports is a bit unusual configuration. I don't remember a sample configuration that's created this way. I'd suggest you put your internal users out from the Access network ports, and guest users from the Internet network ports - this is the usual way.

 

Does this change the picture?


HTH,

Arimo
HPE Networking Engineer
Highlighted
Fred_Mancen_1
Super Advisor

Re: MSM720 Premium does not work properly on a segmented network

Tks, Arimo.

 

But how can I enable the DHCP Relay to the guest users? In the config guide there's a tip where the relay service only works at the LAN port.

Regards,
Fred Mancen
Highlighted
Arimo
Respected Contributor

Re: MSM720 Premium does not work properly on a segmented network

Hi

 

Well, what's in MSM710 and MSM76x referred to as "LAN" port is in MSM720 "Access network". That's ports 1 - 4... so right now all your traffic is actually on the "Internet" side :-)

 

Have you tried setting this up using the Automated workflows?


HTH,

Arimo
HPE Networking Engineer
Highlighted
Fred_Mancen_1
Super Advisor

Re: MSM720 Premium does not work properly on a segmented network

Hi Arimo.

 

Yes I did, but still unsuccessful. It seems that the traffic is blocked by the controller (of course we know that isn't true, because the firewall is disabled). Which is more bizarre is that the DNS response is okay, but none of the web pages we tried to reach opens... When we work with a user in the same VLANs out of the wireless environment we get web access instantly.

Regards,
Fred Mancen
Highlighted
Arimo
Respected Contributor

Re: MSM720 Premium does not work properly on a segmented network

Hi

 

The Firewall only applies to incoming traffic from the Internet ports.

 

Just based on the symptoms this is simply a configuration issue. I'd suggest you check the Implementation guide at http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02682324/c02682324.pdf. This is a bit older so it only talks about LAN and Internet interfaces, but the principle is still the same - just remember you have 4 "LAN" ports and 2 "Internet" ports :-)

 

It's a big book, but the overview of different solutions (5) gives you an idea what they are aimed for. I believe first or second one could be used as a base for your implementation as well. You will find there step-by-step instructions how to configure the whole thing, including the wired side.


HTH,

Arimo
HPE Networking Engineer