HPE Community
M and MSM Series
1753797 Members
7338 Online
108802 Solutions
New Discussion

VLAN issues with MSM710 AC and MSM460 APs

 
RolfH
Occasional Visitor

‎12-23-2012 12:09 PM - edited ‎02-01-2013 02:11 PM

‎12-23-2012 12:09 PM - edited ‎02-01-2013 02:11 PM

VLAN issues with MSM710 AC and MSM460 APs

My company is planning to roll out a couple of MSM460s along with an MSM710 access controller, and I've been doing some testing at home to get used to the web interface and setup process. Before I began testing I upgraded the firmware on both the access controller and the access points to version 5.7.1.1-12533.

 

In my test lab I have two VLANs configured on an HP ProCurve 2520G-8-PoE switch, VLAN 10 for "employee" access and VLAN 20 for "guest" access. Routing and DHCP is handled by a FortiGate firewall, which is connected directly to the HP switch. I've been using this setup for a while and know for sure that everything works as it should.

 

I connected the MSM710 to an untagged port on VLAN 10, completed the initial configuration wizard and created VSCs for the Employee and Guest SSIDs. Both VSCs use WPA2 encryption and do not use the controller for access control or authentication. I also created controller-level network profiles for VLANs 10 and 20, and an AP group named Test.

 

Finally I connected a single MSM460 AP to a switch port with VLANs 10 and 20 tagged. The AP was discovered by the controller and I added it to the Test group and bound both VSCs to the group. I set the Employee VSC to egress traffic onto VLAN 10 and the Guest VSC to egress traffic onto VLAN 20.

 

Now the Guest VSC worked as expected. When I connected to its SSID I received an IP address and could access the internet and all appropriate network resources. The Employee VSC however did NOT work properly. I could associate with the SSID just fine, but would not receive an IP address or see any broadcast traffic or chatter from computers on the wired LAN. I could see broadcast traffic from other wireless clients connected to that SSID though, so it seemed like the AP was not passing traffic between that VSC and the wired network.

 

I tried doing a factory reset of both the MSM710 and the AP, as well as setting up everything with a different AP, but I still couldn't get the Employee VSC to behave as expected. Eventually I tried to create a new VLAN, VLAN 15 and moved the controller onto an untagged port on that VLAN. I added VLAN 15 tagged on the port the MSM460 was connected to. The Employee VSC now began working properly. If I moved the controller over to an untagged port on VLAN 10 and let the AP reconnect to the controller it would stop working again, so it seems like the AP refuses to pass wireless client traffic onto the VLAN that it uses to communicate with the controller.

 

I suppose most organizations will use a separate VLAN for controller-to-AP-traffic anyway (my company will), but I find it a little odd that the APs by default just plain refuse to pass client traffic onto that VLAN, particularly since I can't see this mentioned anywhere in the documentation or controller settings. Is this a bug or is it intended behavior?

 

EDIT 2012-02-01:
I can confirm that the issue described above was fixed in firmware v5.7.2.0, released January 22, 2013.

 

From the Other Fixes section of the Relase Notes for firmware v5.7.2.0:

"When VSC traffic is egressed on the management VLAN, traffic from the VLAN does not reach the clients on the VSC."

 

After upgrading the controller and APs to v5.7.2.0 the problem is resolved. VSCs egressing on the management VLAN now behave as expected.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.