Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring VLANs with HP Procurve 5412zl

SOLVED
Go to solution
mkoskenk
Occasional Visitor

Configuring VLANs with HP Procurve 5412zl

Hi!

I was assigned to to create two VLANs for our wireless network. The other is for our company employees and the other for guests. The guest vlan is on DMZ. We have altogether 3 WLAN access points that are connected to ports A12-A14. The Firewall's DMZ port is connected to port A2 on the switch.

I have created two SSIDs and two VLANs and assigned internal SSID to VLAN20 and guest SSID to VLAN30. I've also tagged ports A2 and A12-A14 to VLAN30.

The ports A12-A14 are also togged to VLAN2100, which I believe was created upon installation of the wireless module.

This is pretty much where my knowledge ends. I can see the guest wlan and I can connect on it but that's it. There's no accessibility anywhere.

The internal WLAN is for now connected to DEFAULT_VLAN (VLANID1) and it's working with no problems.

Can anyone give me suggestions how to proceede from here?
7 REPLIES
Mark Wibaux
Trusted Contributor

Re: Configuring VLANs with HP Procurve 5412zl

Do you have a Procurve WESM module with Radio Ports OR just standalone Wireless APs?
Tibbys96Z
Occasional Visitor

Re: Configuring VLANs with HP Procurve 5412zl

What is your firewall?
It sounds like that is all left to do if you are connected to a dmz port on your firewall. It will need to be configured to all access from the dmz to the gateway.
mkoskenk
Occasional Visitor

Re: Configuring VLANs with HP Procurve 5412zl

Hi Mark and Tibbys, your help is very appreciated.

We have J9051A WESM module installed and total of 3 Radioport 220's. The firewall is WatchGuard Firebox x500. The firewall actually has configurations made for DMZ as we used to have a couple of smaller switces before moving into 5412zl, and one of these switces was connected directly to DMZ configured port of the firewall.

I've also defined the VLAN30 (the guest VLAN) to use subdomain 10.10.30.x (s/m 255.255.255.0) and assigned IP address 10.10.30.2 for the VLAN.

I also found out that the WESM has a DHCP server and from it's web management interface I created new network pool called GUEST with IP 10.10.30.0/24 and assigned to interface VLAN30. The IP range is 10.10.30.100 - 10.10.30.199

Wrapping it up, I think my main questions for now are:

1) How do I direct the traffic from guest VLAN to 5412zl's port A2 (which is connected to firewall's DMZ port)

2) What else do I need to do to get the DHCP working for the VLAN30?

3) Do I need to tag the access point ports A12-A14 for VLAN30 or is tagging A2 enough?

The attached Visio document contains the sketch of the layout.
mkoskenk
Occasional Visitor

Re: Configuring VLANs with HP Procurve 5412zl

Update:

After researching the topology better (I'm still rather green in the house), it seems that the connection from from 5412zl is making a little detour through ProCurve 1400-24G switch which in turn is connected to ethernet port of the firewall. This is because the cabling transfer work from old switches to 5412zl is still unfinished and some of the users are still connected to old switches. The access point ports are still connected to 5412zl and from there to the firewall. Please see the attached updated topology.

I got the DHCP working. I can connect to the GUEST WLAN and I get assigned an IP address, but I cannot access Internet nor the internal network (which of course I shouldn't be able to do anyway). When I tried to connect to the WLAN with my mobile phone and started browsing, I got the error Gateway not reachable. I've got the feeling that I'm getting close to the solution, but there's a little glitch somewhere in the configuration that's preventing me to get my victory trophy.
Mark Wibaux
Trusted Contributor
Solution

Re: Configuring VLANs with HP Procurve 5412zl

I'm was guessing from the fact that you mention VLAN 2100 that you have a WESM module and were using Radio Ports as your access points.

As this is the case then you need to understand how traffic flows in that sort of environment.
The WESM module in the switch has 2 onboard 10Gb ethernet connections. 1 designated as an Uplink and the other as a Downlink port. You will see them listed in the switch config as xUP & xDP (where x = the letter of the module slot the WESM is plugged in to).
The WESM talks to the RPs via the Downlink port. It tunnels any of the VLANS you have linked to your SSIDs inside VLAN2100 to the RPs.
The xDP port should be a tagged member of VLAN 2100. It is over this port that all traffic between the RPs and the WESM travels. The xUP port is the port that communicates with your wired network.
In your case xUP should be tagged in both VLAN20 & 30. A2 should be untagged in VLAN30. The ports that your Radio Ports plug into should be untagged in VLAN2100 and should NOT be tagged in any other VLANs (though the auto-provisioning function should have taken care of the radio port links for you).

In the WESM management interface you configure your SSIDs and associate them with the correct VLANs. As you will have tagged VLAN 20 & 30 on to xUP, these VLANs should appear in the list of networks availabe to the WESM. You will have to give the WESM an IP address in VLAN30 if you want to use it for DHCP to clients on that network. In the DHCP scope you would then set the "router" as the IP address you have configured the DMZ port on the Watchguard.

As long as you do NOT have routing enabled in either the 5412zl or the WESM then VLAN20 & 30 should not be able to talk to each other.
If you have routing enabled on the 5412zl then make sure you do not have an IP address assigned to VLAN30 in the 5412zl config.
If you have routing enabled on the WESM then double check if you really need it (unfortunately I don't have a WESM to check with but I think there may be an option to exclude a particular VLAN from routing).

Sounds like you might have gotten most of what I said above going. Probably the only thing left is to make sure that the "Default Gateway" for the VLAN30 DHCP scope is set to the DMZ port on the Watchguard.
mkoskenk
Occasional Visitor

Re: Configuring VLANs with HP Procurve 5412zl

Hello and thank you for the detailed answer Mark. I don't know what to say, I was on a sick leave for the whole of the last week and when I came back to work, my colleague told that the guest WLAN had started working at the middle of the week without anyone doing further configurations. Go figure...

Anyway, your answer helped me to get on the track, thank you :)
mkoskenk
Occasional Visitor

Re: Configuring VLANs with HP Procurve 5412zl

Thread closed.