HPE Community
M and MSM Series
1752678 Members
5716 Online
108789 Solutions
New Discussion

Re: VSC to egress Internet port VLAN

 
DougB-CCCP
Frequent Advisor

‎03-01-2012 02:12 PM

‎03-01-2012 02:12 PM

VSC to egress Internet port VLAN

I ran into a situation yesterday where I needed to have a VSC tunnel the traffic back to the 760 controller, then egress out of the Internet port on a separate VLAN.  I was looking for a straight 'bridged' connection between the two, so basically the VSC traffic would be dumped onto the VLAN, facilitated by going through the controller.

 

Problem is, it didn't work.  I'm not sure why or what I did wrong.  I think I tried everything, choosing 'always tunnel client traffic', selecting/unselecting 'authentication' and 'access control', with/without the built-in DHCP server.  When traffic passed, it would pass to the AP's management VLAN and get DHCP from there.  I would also get DHCP from the controller when 'always tunnel' was checked and DHCP was listening on the Client Data Tunnel.

 

Does anyone have any insight as to how I can make this work, though either the LAN port or preferably the Internet port?  All I am looking for is a Cisco-esque 'Local' wireless network.  In the Cisco world what I'm looking for happens right out of the box.

----------------
HP ASE (Mobility), Infrastructure Engineer
0 Kudos
9 REPLIES 9
Fredrik Lönnman
Honored Contributor

‎03-01-2012 11:58 PM

‎03-01-2012 11:58 PM

Re: VSC to egress Internet port VLAN

I'm not sure you even can do that(?). I've always seen the MSM as either bridge locally at the AP or via tunnel terminate the traffic in the controller and route from there.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
HowardGriffith
Visitor

‎03-02-2012 05:24 AM

‎03-02-2012 05:24 AM

Re: VSC to egress Internet port VLAN

You can do it but you really don't need to.  If all that's needed is a path to the internet port on the controller, that's the default already.  I started mine by building some VLANs and directing traffic that way but backed off because I was over-complicating the issue.  In my environment, I have a 765zl which I wanted several VSCs on.  I have two that are for interal use and a variety of functions such as 802.1x on one and static WPA2 on the other.  The third I wanted to strictly use as a guest internet connection and push it out the internet port which I had VLAN'd in the 5412zl to port A1 straight to a seperate cable modem based internet connection.  It works fine and the traffic is seperated by the VSC because that traffic is tunneled to the controller and sent straight out the internet port.

 

The DHCP portion working on the Guest Internet VSC is the most confusing part because you can't just turn it on for that VSC wihout it being turned on globally for the entire controller.  Once you get that setup right, it works like a champ.

 

Let me know if you'd like further details.

 

0 Kudos
Fredrik Lönnman
Honored Contributor

‎03-02-2012 05:30 AM

‎03-02-2012 05:30 AM

Re: VSC to egress Internet port VLAN

@HowardGriffith wrote:

You can do it but you really don't need to.  If all that's needed is a path to the internet port on the controller, that's the default already.  I started mine by building some VLANs and directing traffic that way but backed off because I was over-complicating the issue.  In my environment, I have a 765zl which I wanted several VSCs on.  I have two that are for interal use and a variety of functions such as 802.1x on one and static WPA2 on the other.  The third I wanted to strictly use as a guest internet connection and push it out the internet port which I had VLAN'd in the 5412zl to port A1 straight to a seperate cable modem based internet connection.  It works fine and the traffic is seperated by the VSC because that traffic is tunneled to the controller and sent straight out the internet port.

 

The DHCP portion working on the Guest Internet VSC is the most confusing part because you can't just turn it on for that VSC wihout it being turned on globally for the entire controller.  Once you get that setup right, it works like a champ.

 

Let me know if you'd like further details.

 

Howard; The two VSCs you have for internal use, are they access controlled just like the guest VSC? Otherwise the scenario isnt really applicable.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
DougB-CCCP
Frequent Advisor

‎03-03-2012 05:34 PM

‎03-03-2012 05:34 PM

Re: VSC to egress Internet port VLAN

@HowardGriffith wrote:

You can do it but you really don't need to.  If all that's needed is a path to the internet port on the controller, that's the default already.  I started mine by building some VLANs and directing traffic that way but backed off because I was over-complicating the issue.  In my environment, I have a 765zl which I wanted several VSCs on.  I have two that are for interal use and a variety of functions such as 802.1x on one and static WPA2 on the other.  The third I wanted to strictly use as a guest internet connection and push it out the internet port which I had VLAN'd in the 5412zl to port A1 straight to a seperate cable modem based internet connection.  It works fine and the traffic is seperated by the VSC because that traffic is tunneled to the controller and sent straight out the internet port.

 

The DHCP portion working on the Guest Internet VSC is the most confusing part because you can't just turn it on for that VSC wihout it being turned on globally for the entire controller.  Once you get that setup right, it works like a champ.

 

Let me know if you'd like further details.

 

Howard - I already was using the Internet port for a guest network, untagged traffic.  I suppose it really doesn't matter which of the two ports I use.  The basic premise is that I want all of the traffic on a VSC to leave the wireless client, hit the AP, be sent back to the controller, then out the VLAN I specify on either of the controller's physical ports.

DHCP appears to be the real kicker here.  I'm assuming to get this working properly, I need the controller to be in DHCP relay mode to handle the DHCP requests.  However, in this environment, I would need the controller to do both DHCP services for the guest VSC as well as relay DHCP requests for traffic tunneled back to the controller.  I hate to bring them up again, but the competition's overpriced controllers can do this without an issue.  Now that doesn't stop me from pushing HP equipment, it works fantastically in 99% of all cases... :)

This is now just for my own reference, I will probably lab the heck out of this to figure out how to make it work properly.  I worked around the issue by simply adding a new VLAN to all switches and tagging it on the 80-some ports that the access points are plugged into, then egressing the traffic onto that VLAN at the AP level, no traffic tunneling back to the controller.

----------------
HP ASE (Mobility), Infrastructure Engineer
0 Kudos
Fredrik Lönnman
Honored Contributor

‎03-04-2012 01:19 AM

‎03-04-2012 01:19 AM

Re: VSC to egress Internet port VLAN

@DougB-CCCP wrote:
 I worked around the issue by simply adding a new VLAN to all switches and tagging it on the 80-some ports that the access points are plugged into, then egressing the traffic onto that VLAN at the AP level, no traffic tunneling back to the controller.

 This is pretty much the way the MSM solution is supposed to be deployed. If you look at the hardware, it is clear that you are not supposed to tunnel/bridge that much through the controller (well the 765zl do have 10GbE ports, but other than that its the same design). So you have to plan and design your deployment differently than with the overpriced competitors.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
scottdoorey
Occasional Advisor

‎09-20-2012 04:23 PM

‎09-20-2012 04:23 PM

Re: VSC to egress Internet port VLAN

hi all,

 

i have also run into the same issue. Doug did you ever get this working?

 

Scott

 

0 Kudos
DougB-CCCP
Frequent Advisor

‎09-21-2012 08:08 AM

‎09-21-2012 08:08 AM

Re: VSC to egress Internet port VLAN

Scott - I did get it working, however it is not recommended in larger deployments and does not work in controller teams.  Basically you need to create a new network profile pointing to a VLAN, then tag that on the LAN port. Give the new profile an interface/IP.  Enable DHCP relay within the address allocation settings.  Under the VSC enable Authentication and Access Control and make sure DHCP relay is enabled. 

 

Extend the egress VLAN to the VSC (I don't recall exactly how it's worded under the VSC DHCP relay options).  Make sure under the egress VLAN for the VSC you have the new network profile/VLAN selected.  When binding the VSC to a group, don't select any egress networks.

 

I was slightly mistaken on how the Cisco controllers worked related to DHCP, they also proxy the requests via a relay agent.  Setting the HP's up like this mimics the same behavior.

----------------
HP ASE (Mobility), Infrastructure Engineer
0 Kudos
SBA_Mark
Occasional Visitor

‎10-08-2012 10:30 PM

‎10-08-2012 10:30 PM

Re: VSC to egress Internet port VLAN

I just the same thing - egressing a NON-DEFAULT Guest VSC through the controller and out onto a tagged Guest VLAN 150 headed straight for the router/modem.  The APs, DHCP and DNS servers talk over an untagged management VLAN on the LAN port (192.168.0.0/24).  The Guest egress VLAN was given an IP Interface and tagged to the Internet port (10.150.0.0/16) and relies on the controller for HTML authorization.  The Guest VSC had the authorized egress mapping set to Guest 150.  The Guest VSC relied on DHCP Relay with a subnet address of 10.150.0.0/16 to fill in the giAddress in the DHCP request and querried a scope located on a server at 192.168.0.2.

 

My understanding is the web server is only available untagged or tagged on the Internet port, so you're forced to move your Guest egress onto the Internet port if you want HMTL authorization.

 

My biggest problem was I had NAT unchecked on the Guest VLAN thinking the VLAN was already NATed at the router.  That's not what they mean by "NAT".  If it's not checked, your router won't be able to ARP your mobile clients directly since the MSM doesn't respond to bridged ARP requests even though everyone is on the same VLAN.  By checking NAT, the MSM pipes all your wireless clients onto a single IP address of the Guest VLAN IP Interface on the Internet port.  The MSM does respond to ARP requests for that single interface.

0 Kudos
awoiudhoi123
Occasional Visitor

‎01-17-2020 06:11 AM - last edited on ‎01-19-2020 09:21 PM by

‎01-17-2020 06:11 AM - last edited on ‎01-19-2020 09:21 PM by

Re: VSC to egress Internet port VLAN

@DougB-CCCP wrote:

I ran into a situation yesterday where I needed to have a VSC tunnel the traffic back to the 760 controller, then egress out of the Internet port on a separate VLAN.  I was looking for a straight 'bridged' connection between the two, so basically the VSC traffic would be dumped onto the VLAN, facilitated by going through the controller.

 

Problem is, it didn't work.  I'm not sure why or what I did wrong.  I think I tried everything, choosing 'always tunnel client traffic', selecting/unselecting 'authentication' and 'access control', with/without the built-in DHCP server.  When traffic passed, it would pass to the AP's management VLAN and get DHCP from there.  I would also get DHCP from the controller when 'always tunnel' was checked and DHCP was listening on the Client Data Tunnel.

 

Does anyone have any insight as to how I can make this work, though either the LAN port or preferably the Internet port?  All I am looking for is a Cisco-esque 'Local' wireless network.  In the Cisco world what I'm looking for happens right out of the box.


You should be able to do this just fine, guest networks are just access controlled VSCs that throw up a login page. I seem to recall doing this with a pair of MSM765s but it was years ago. Just create an access controlled VSC with HTML auth enabled and local radius selected, then create a test user on the users tab. Deploy the VSC to test group and give it a spin. Make sure you set up a proper WPA key and proper vlan traffic  egress on the test network as to not compromise your network security.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.