Re: Where does a Guest VSC's IP gateway live?

The VSC IP gateway has to live in the controller, then you can put the Internet port in a separate VLAN and route through it.

But how do you configure the Guest VSC's IP gateway in the Guest VSC VLAN if the VLAN is already assigned to the VSC ingress mapping?

For example:

Network Profile "Guest120" is defined, VLAN ID 120 (Controller > Network > Network profiles)

Network profile "Guest120" is mapped to the LAN port, tagged 120 (Controller > Network > VLANs)

Guest VSC subnet/VLAN:

   - IP subnet:  172.17.120.0/24

   - Gateway IP:  172.17.120.1

   - VSC ingress mapping: "Guest120 (120)"

Now how is IP interface 172.17.120.1 configured?  Controller > Network > IP interfaces won't allow it.

thanks,

noemi

Are you configuring the DHCP option under the VSC ?? if yes then automatically when you put the gateway IP address the Controller will assign it to itself no need to do anything.

No, I'd like to know how to set this up without the controller being the DHCP server.

I'm asking more of a design question, not a "how to" question. I'm not looking for a workaround; I want to  understand how every bit of it works so that if our customers ask how to do something, or if it can be done, that I have an answer.  "Just use the controller's DHCP server" isn't always going to fly.

 From a lot of experimenting, I've found a few facts that are necessary to support HTML-based authentication.  (Disclaimer: I still haven't succeeded in setting this up yet, due to other unrelated problems.)

- The LAN port must be the gateway for the Guest VSC's subnet.

- If the Controller is now to be used as the Gateway for a subnet, it needs another interface to send the traffic it's routing to.  Otherwise from a routing perspective it's a leaf.  So the Internet port has to be used also, with a default route in the controller pointing to the Internet port's next hop.

- Use the LAN port's "management" IP address to number the Controller, and have a DHCP scope somewhere in the network for that subnet for the APs' own management IP addresses.

- In the end, you end up with 3 subnets/VLANs:

 1 -- Internet port to the outside world gateway (Internet port)

 2 -- Controller/AP management (LAN mgmt IP address)

 3 -- Guest VSC / wireless clients (LAN port main IP address).

While you could use the Controller for DHCP, so far I've found nothing that indicates you have to, and some IT managers might not want to.  

HTML-based authentication shouldn't be hard, but it's quite a wiggle if you want a separate subnet, VLAN and DHCP scope for the guest VSC wireless clients, that does not include any IP address that belongs to the Controller itself.   Imagine that!

thanks,

noemi

Check the Implementation Guide please it has the details about that and how to use the relay feature which is required if you are not using the DHCP server on the controller.

Since the controller has to be the gateway and DNS for the client to use HTML based authentication there are some quirks that comes with it. Most of them are somewhat described in the Implementation Guide, but a few are not that obvious (like that the controller assigns the IP you specify in the VSC settings as dhcp-gateway or as source when you do dhcp-relay).

So the "- The LAN port must be the gateway for the Guest VSC's subnet." is not quite true, its the VSC itself (some internal dummy/virtual interface) that are the gateway, and you can have multiple guest VSCs in different subnets. 

>>

So the "- The LAN port must be the gateway for the Guest VSC's subnet." is not quite true, its the VSC itself (some internal dummy/virtual interface

>>

That dummy/hidden interface is only assigned if the Controller is also used for DHCP server though, is that right?  What if you don't want to use the Controller for DHCP at ALL?

>>

...the controller assigns the IP you specify in the VSC settings as dhcp-gateway or as source when you do dhcp-relay

>>

DHCP relay: I've found that the VSC DHCP relay uses the Controller's LAN port IP address as the DHCP relay source -- unless you indicate another DHCP source IP address in "subnet selection" in the VSC.

(I've scoured the Implementation Guide many times; it's missing all sorts of crucial information, like that the Controller has to be gateway and DNS, and it also assumes you'll be using the Controller for DHCP.  It doesn't mention what "subnet selection" is for either.  Believe me, I wouldn't dream of posting these questions to you kind experts without the RTFM box checked off first :) )

thanks,

noemi

---

@ndoudna wrote:

 

>>

So the "- The LAN port must be the gateway for the Guest VSC's subnet." is not quite true, its the VSC itself (some internal dummy/virtual interface

>>

 

That dummy/hidden interface is only assigned if the Controller is also used for DHCP server though, is that right?  What if you don't want to use the Controller for DHCP at ALL?

 

>>

...the controller assigns the IP you specify in the VSC settings as dhcp-gateway or as source when you do dhcp-relay

>>

 

DHCP relay: I've found that the VSC DHCP relay uses the Controller's LAN port IP address as the DHCP relay source -- unless you indicate another DHCP source IP address in "subnet selection" in the VSC.

 

(I've scoured the Implementation Guide many times; it's missing all sorts of crucial information, like that the Controller has to be gateway and DNS, and it also assumes you'll be using the Controller for DHCP.  It doesn't mention what "subnet selection" is for either.  Believe me, I wouldn't dream of posting these questions to you kind experts without the RTFM box checked off first :) )

 

thanks,

noemi

---

In a access-controller scenario the controllar has to be used as either DHCP server, or DHCP relay. In either way it HAS to be gateway (and DNS if you want HTML based access). Im totally with you that the Implementation guide is horrible for those things.. though it does actually mention the facts that the controller has to be gateway and DNS but its not really where you'd expect to find it, and even when you know it beforehand its not really obvious when you do read it ;\

>it does actually mention the facts that the controller has to be gateway and DNS

Put me out of my misery, please -- WHERE?!

thanks,

noemi

-- can i add something to this one as it very similar to my scenario --

in a teaming environment for this Guest scenario - the LAN Ip for the GW address for the DHCP scope is a bit muddy as to what to use - the virtual team IP, the controller LAN IP or the internet port IP? - I cannot get my Guest VSC to present an HTML login page!

---

@Fredrik Lönnman wrote:

---

@ndoudna wrote:

 

>>

In a access-controller scenario the controllar has to be used as either DHCP server, or DHCP relay. In either way it HAS to be gateway (and DNS if you want HTML based access). Im totally with you that the Implementation guide is horrible for those things.. though it does actually mention the facts that the controller has to be gateway and DNS but its not really where you'd expect to find it, and even when you know it beforehand its not really obvious when you do read it ;\

---

Are you sure about that?   I have a guest VSC setup right now that is using a Client Data Tunnel and that guest VSC uses an external DHCP server (windows box) on another VLAN (using DHCP relay).  The DHCP scope does NOT have the MSM controller specified as the DNS or gateway address.   The VSC is using HTML Based Logons too.

So I'm not sure that statement is correct...  If that's listed somewhere in the Implementation Guide, please pass along where you see that, thanks.

J

---

@JesseR wrote:

---

@Fredrik Lönnman wrote:

---

@ndoudna wrote:

 

>>

In a access-controller scenario the controllar has to be used as either DHCP server, or DHCP relay. In either way it HAS to be gateway (and DNS if you want HTML based access). Im totally with you that the Implementation guide is horrible for those things.. though it does actually mention the facts that the controller has to be gateway and DNS but its not really where you'd expect to find it, and even when you know it beforehand its not really obvious when you do read it ;\

---

Are you sure about that?   I have a guest VSC setup right now that is using a Client Data Tunnel and that guest VSC uses an external DHCP server (windows box) on another VLAN (using DHCP relay).  The DHCP scope does NOT have the MSM controller specified as the DNS or gateway address.   The VSC is using HTML Based Logons too.

 

So I'm not sure that statement is correct...  If that's listed somewhere in the Implementation Guide, please pass along where you see that, thanks.

 

J

 

---

3-60
"12. Select the DHCP servercheck box, and configure the following settings:
a. For DNS, type the MSM Controller’s IP address on the ingress guest
VLAN. The controller will capture DNS queries and forward them to
the DNS servers configured on the Controller > Network > DNS window.
In this example, type 10.1.50.1.
[...]
d. For Gateway, type the same IP address that you typed for DNS. The
controller will automatically use this IP address to route guests’
traffic. For this example, type 10.1.50.1"

4-89
"Because the controller will be handling and forwarding egressing guest traffic,
it requires a DNS server and IP routes"
[...]
"5. Ensure that the DNS interceptioncheck box is selected.
This feature is required for the MSM Controller to implement Web-Auth
for guests."

Im reading this like the controller needs to be GW and DNS, allthough I'm actually hoping that I'm wrong (which seems to be the case, since you obviously got this running without the controller beeing GW and DNS). I've always been under the impression that the DNS injection for web-auth only works when the controller is configured as the DNS server on the clients, but that maybe isnt the case.. and it is actually capable of snooping all DNS requests in the tunnel, even to external DNS-servers?

---

ndoudna wrote:

- The LAN port must be the gateway for the Guest VSC's subnet.

 

Does that means that you can't use a tagged VLAN interface?

Hi,

I am also facing to this scenario in my MSM 760 team. My MSM contains firmware version 6.4. My DHCP server is my core switch.

On switch

I have created VLAN for guest on the Switch (Vlan 91)

created DHCP pool for the Guest VLAN and assigned Default gateway and DNS as the controller LAN IP (I am using only LAN port )

on WLC

created Guest VSC with Access control and HTML auth with local accounts, always tunnel client traffic. others are default.

Created Network profile with vlan 91

VSC binded with Egress to vlan 91

created user guest with password and added the Guest vsc

When I try to connect to guest SSID clients get connected but no IP address received. When I remove always use tunel for client traffic tick and sync APs guest users can go to internet but no html auth page.

with my previous MSM 760 with firmware version 5.5 (Without teaming - used controller DHCP server) it worked.

Management wants to display that HTML page to guests and Now I am helpless since still HP support also not contacting me regarding this from long time.

Thank you

Kind regards

Chaamaa