01-17-2011 06:05 PM - last edited on 08-25-2013 07:04 PM by Liuqing
Planning on setting up a team of these and I need some help with what I should do for the Guest WLAN.
Right now I am placing the controller and APs on my internal network (VLAN 1) which is 10.1.x.x. I crated VLAN 3 for guest wireless traffic for subnet 192.168.3.x. My switch is setup with an ip helper address on VLAN 3 and all works well when a client connects to a VLAN 3 port via the wired network.
So for my Guest VSC:
Security: HTTP Web Based User Log in
Access Control: Enabled
Client Client Data: Enabled
Egress Port: VLAN 3
DHCP Relay: Enabled
DHCP Relay Egress Port: VLAN 3
Does this make sense? I want the guest traffic to get out to the VLAN 3 network and then get an IP address from my internal DHCP server. After that I want the client on the Guest WLAN to be redirected to a HTTP login page.
The LAN port on the controller would be untagged 10.1.1.1 and VLAN 3 would be tagged via the LAN port with no IP. Should I do anything with the Internet port?
P.S. This thread has been moved from Communications, Wireless (Legacy ITRC forum) to MSM Series.
-HP Forum Moderator
Solved! Go to Solution.
01-18-2011 12:09 PM
because you want html authentication
welcome page on controller lan port from to guest user, therefore you must use lan port untagged state on vlan 3 (guest vlan)and all guest user default gateway address must have controller lan port
lan port connect guest network on untagged state switch port, all guest user connect (guest vsc)directly guest network with default group vsc binding for vlan 3
vlan 3 dhcp server must be on msm controller
all access point login to controller on internet port on different vlan for example vlan 2 ,vlan2 dhcp services corpare dhcp server all access point ip address take corpare dhcp server for controller connection, all corpare user connect different vsc to different vlan with default group vcs binding.
only necessary you to understand device deployment architechture
01-18-2011 12:32 PM
Also, this configuration will have two MSM765zl in a team. When in a team you can not use them as DHCP servers.
And from what I can understand from your reply, is to create an untagged VLAN 3 using the the LAN port. What I don't understand that since this is module in a 5412zl how do I leave it untagged or tagged for that matter?
Anyone else with a suggestion?
01-20-2011 04:08 PM
Typically I would setup the guest traffic to route out the Internet port directly to a reserved port on your firewall. Setup a subnet and assign a .1 to the Internet port and a .254 to your Firewall. You can provide DHCP via a dhcp relay to your firewall or to a internal DHCP server. Use the "Extend Internet Port subnet to LAN port" to alter the DHCP requests going to your DHCP server to show the .1 address of the Internet port as the router id. This will assign and address to clients in this range.
Setup a default route to your firewall over the internet port and an inside route to your internal router (10.0.0.0/8). The guest traffic will be the only traffic that routes over the MSM so you dont need any other routes. The inside route is really only so you can manage the MSM from other VLANs inside your network.
I hope this gets you going in the right direction.
01-20-2011 07:25 PM
So I'll leave the LAN port untagged and tag the Internet port for my Guest VLAN (VLAN 3). Do I do the tagging in the controller or in the switch?
I'll just have the DHCP Relay go out my Internet port and have the the switch's IP helper on that VLAN handle the relay to the internal DHCP server. Is that ok?
So the default gateway for the controller would be on the VLAN 3 network of 192.168.3.x?
If I understand you correctly the secure clients will enter the network via the AP and will not be routed through the controller. Hence I don't have to worry about the default gateway being on another subnet?
Last where do I place the web site for authentication. Do I need to connect it to a port or does it happen inside the controller itself?
Thanks a lot again. Finally feeling confident about all this.
01-22-2011 09:48 AM
You will want to "untag" the internet port for your "internet" vlan. Set the internet port IP address on that VLAN as .1 and make sure your DHCP scope sets this as the clients default gateway (router id).
You then just need to put a default route to the internet vlans gateway on your firewall or switch..wherever it points.
The clients are actually tunneled through the client data tunnell from the AP to the controller and the traffic is handled from the controller, not the AP. The html site is on the controller and you just need to set the VSC for "Access control" and "html authentication".
Let me know if that gets you goin!
01-22-2011 01:38 PM
Setup my DHCP scope for the guest to point the default gateway to the Internet port on the controller. Then setup a default route on the controller for the Internet port going to my Internet port's gateway.
For the guest VSC what should I set the egress port to? Default? or Internet port? Or do I set the egress port on the VSC binding page for my APs?
Let me say that your help has been tremendous. Do you have any other suggestions for me that you ran into in your setup?
01-24-2011 07:28 AM
Since the traffic is 'routed' at the controller for guests, there is no need to set an egress layer 2 vlan on the binding or vsc.
I usually setup the gateway for the internet port directly on a firewall so that it is completely segregated off the network. Also make sure you use public DNS servers on the controller DNS config, since guests will be using these to resolve internet queries.
Make sure when you setup your DHCP scope for guests to set the DNS server to the Internet port address of the MSM, since it will hijack all DNS requests.
Let me know if that works!
04-30-2011 05:24 PM
10-03-2011 05:33 AM
This has interested me.
Am having the same sort of problem, with Guest access on internet port. I have a problem on getting the guest traffic tunnelled through the controller to the firewall.
Also i have an problem with the internet port, when i assign it an ip address, that address takes precedence over the LAN ip when it comes to discovering the Controller by APS or sending Radius requests to windows IAS, even though i have configured LAN port to be used for discovery of the controller.
The LAN Port works and allows me to manupulate the network as i want using vlans, but when i try to configure guest access on internet port all fails.
Any help will highly be appreciated.