M and MSM Series
1748165 Members
3779 Online
108758 Solutions
New Discussion юеВ

Re: MSM765zl + Guest/Employee VLAN

 
Manfred M.
Advisor

MSM765zl + Guest/Employee VLAN

Hi!
I'm stuck in the different scenarios of the MSM Solution and Implementation Guide because none of the scenarios really fit to my requirements.

What I have:
1x 54xx with MSM765zl installed
several MSM422 APs
2 VLANs (Guest/Employee) configured on the switch
1 external Firewall
1 Company DHCP Server

What I need:
VSC for employee traffic which should be bridged egress to Employee VLAN after sucessful AD authentication (no Radius Server; no 802.1x).
VSC for Guest traffic which should bridged egress to
Guest VLAN with HTML authentication (Guest Traffic will be handled by the company's firewall). The customer want's to manage the Guest accounts with the Guest Management Software.
DHCP should be handled by the Company's DHCP Server for employees and guests.

I have tried already various VLAN egress options and have read lots of HP Guides, but am still confused about best practice in my scenario.

Some Questions:
Do I need the internet port in my scenario?
Do I need account profiles for the AD authentication?
I have put the MSM AP's tagged into the 2 VLANs - is that ok?

I would appreciate any help or hint leading into the direction of my scenario very much.

With regards
Manfred M.
3 REPLIES 3
cenk sasmaztin
Honored Contributor

Re: MSM765zl + Guest/Employee VLAN

Do I need the internet port in my scenario?
yesss

Do I need account profiles for the AD authentication?
yesss

I have put the MSM AP's tagged into the 2 VLANs - is that ok?
no guest vlan must be untag Employee vlan tag port
---------------------------------------
lan port serve guest and all access point device

open controller dhcp server and connect guest vlan switch port (untagged)

all access point port must be untag guest vlan and tagged employee vlan

controller lan port untagged guest vlan tagged employe vlan

controller internet port connect employe vlan untag port

company dhcp server serve employee vlan
your firewall lan port connect only employe vlan untag port





cenk

Thomas St├╝tz
New Member

Re: MSM765zl + Guest/Employee VLAN

Hi,

i have the same requirements, but with teaming active.

Is it possible to put the controller in a "management" vlan with "management" ip for this scenario?

Thanks
Thomas
Kyle Massey
Advisor

Re: MSM765zl + Guest/Employee VLAN

The guest traffic is tunneled to the controller in an access-controlled VSC and the egress VLAN settings will not apply. You dont need a guest VLAN on your switches since the client datat tunnel is setup via the IP address on the AP to the ip address on the controller LAN port. The traffic is then routed from the MSM.

I would use the internet port with a network (/30) that is directly connected to your firewall for the guest traffic. Set a default route on the MSM to your firewall port so that guest traffic is routed there. I would provide DHCP to guest clients from the MSM also.

The employee traffic will be bridged via your egress setting to your LAN.

In 'teamed' mode you will have to use a DHCP relay and the "bridge internet port to LAN port" option to get IP addresses for guests.

Kyle
www.traversasolutions.com;http://www.linkedin.com/pub/kyle-massey/22/23/126