M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

MSM765 controller LAN port oddity

 
Highlighted
Don Duvall_1
Occasional Contributor

MSM765 controller LAN port oddity

Noticed something strange today. I setup my MSM765 a while back with what I thought was a pretty standard config.

 

LAN port on one of my private internal LANs. 10.10.0.0/16 addressing

Inet port on a general Inet VLAN we use for guest Inet access in conference rooms, etc. 192.168.100.x/24 addressing

 

The above 2 segments cannot route to each other in any way.

 

2 VSCs setup. Default "HP" VSC is still on the unit as I think I remembered reading somewhere it's best to leave the default HP VSC  on the unit, the "HP" VSC is not bound to ANY AP groups at all.

 

"SECURE" VSC: Authentication enabled, requires 802.1x authentication against our AD domain. Once authenticated successfully the user's machine is put on the primary LAN VLAN and gets a 10.10.x.x address. Affectively on my production network as much as any wired machine is.

 

"GUEST" VSC: Authentication and Access Control enabled. This VSC tunnels the traffic back to the controller and the user's machine grabs a 192.168.100.x IP via DHCP. Rsers are then presented with a HTTP login page, once authenticated the user's traffic is allowed to go passed the 765 and on the Internet directly.

 

This all has been working perfectly for a good while now.

 

Today one of my engineers noticed something odd and brought it to my attention.

 

He had a new network appliance device that he needed to configure and was doing the work on the 10.10.x.x LAN segment. The device he was working on booted up with a default IP address of 192.168.1.1/24 so he just statically changed his laptop's address to match that new devices temporary subnet so he could web into it and reconfigure it for the correct segment. Normal stuff.

 

The problem was when he tried to surf to 192.168.1.1 (after statically assigning his laptop a matching IP from that range) he was presented with the "wireless.hp.internal" login page. On the LAN segment. The only place that authentication page is is enabled is over on the GUEST VSC. As soon as the IP address is of the laptop is changed back to the real IP of that LAN segment (10.10.x.x) you no longer get that login page and all seems normal.

 

Note that 192.168.1.x is not in the config of the MSM765 AT ALL, it does not match anything in the MSM765.

 

I threw together a test machine with wireshark on it and decided to take a look a bit deeper. If I take ANY device, put it on the 10.10.x.x LAN (where the LAN port of the 765 lives) but statically assign it ANY address that does not match that subnet (I did this with 192.168.1.x, 12.12.12.x, 100.100.100.x, I suspect that any range will exhibit this behavior) then wireshark and a "arp -a" shows that the MSM765's LAN port is anyswering and intercepting all traffic and trying to redirect the client machine to "wireless.hp.internal".

 

I'm stumped. I have no idea why this would be happening or how to resolve it. MAYBE this has something to do with the default "HP" VSC merely existing on the MSM765 (even though it's not bound to anything at all, I assumed the controller would just ignore it).

 

Any ideas?

 

Thanks.

1 REPLY 1
Highlighted
JesseR
Regular Advisor

Re: MSM765 controller LAN port oddity

Now that is quite interesting. My guess is, since the device by default is on the 192.168.1.1 address from factory, that even after you changed the LAN port and iNET port ip addresses, the 192.168.1.1 is still binding to the LAN port in addition to your 10.10.x.x address. seems like a possible BUG to me. Though I'd want to verify what your VLAN tagging is like on the LAN Port and the iNET port itself. I think I might try and test this on one of my 760 controllers. What firmware are you on?
Jesse R
Source One Technology, Inc.
HP Partner


MSM 5.7.x deployment guide: