Re: MSM 765zl Configuration (7110 Views)
Reply
Advisor
anthonymel_1
Posts: 12
Registered: ‎01-09-2011
Message 1 of 13 (7,110 Views)
Accepted Solution

MSM 765zl Configuration

[ Edited ]

Planning on setting up a team of these and I need some help with what I should do for the Guest WLAN.

Right now I am placing the controller and APs on my internal network (VLAN 1) which is 10.1.x.x. I crated VLAN 3 for guest wireless traffic for subnet 192.168.3.x. My switch is setup with an ip helper address on VLAN 3 and all works well when a client connects to a VLAN 3 port via the wired network.

So for my Guest VSC:
Authentication: Enabled
Security: HTTP Web Based User Log in
Access Control: Enabled
Client Client Data: Enabled
Egress Port: VLAN 3
DHCP Relay: Enabled
DHCP Relay Egress Port: VLAN 3

Does this make sense? I want the guest traffic to get out to the VLAN 3 network and then get an IP address from my internal DHCP server. After that I want the client on the Guest WLAN to be redirected to a HTTP login page.

The LAN port on the controller would be untagged 10.1.1.1 and VLAN 3 would be tagged via the LAN port with no IP. Should I do anything with the Internet port?

Please help!

 

 

P.S. This thread has been moved from Communications, Wireless (Legacy ITRC forum) to MSM Series.
-HP Forum Moderator

Honored Contributor
cenk sasmaztin
Posts: 1,435
Registered: ‎04-02-2008
Message 2 of 13 (7,110 Views)

Re: MSM 765zl Configuration

good idea but impossible

because you want html authentication

welcome page on controller lan port from to guest user, therefore you must use lan port untagged state on vlan 3 (guest vlan)and all guest user default gateway address must have controller lan port

my solution
lan port connect guest network on untagged state switch port, all guest user connect (guest vsc)directly guest network with default group vsc binding for vlan 3
vlan 3 dhcp server must be on msm controller

all access point login to controller on internet port on different vlan for example vlan 2 ,vlan2 dhcp services corpare dhcp server all access point ip address take corpare dhcp server for controller connection, all corpare user connect different vsc to different vlan with default group vcs binding.

very easy
only necessary you to understand device deployment architechture







cenk

Advisor
anthonymel_1
Posts: 12
Registered: ‎01-09-2011
Message 3 of 13 (7,110 Views)

Re: MSM 765zl Configuration

Thanks for your help but your English is very broken.

Also, this configuration will have two MSM765zl in a team. When in a team you can not use them as DHCP servers.

And from what I can understand from your reply, is to create an untagged VLAN 3 using the the LAN port. What I don't understand that since this is module in a 5412zl how do I leave it untagged or tagged for that matter?

Anyone else with a suggestion?
Advisor
Kyle Massey
Posts: 16
Registered: ‎01-20-2011
Message 4 of 13 (7,110 Views)

Re: MSM 765zl Configuration

Since the guest traffic is tunnelled to the controller from the AP,and is not tagged at the AP, you will have to control the traffic at the MSM controller backplane ports. There is one for your Internet port (F1 if it is in module F) and one for the LAN port (F2). You will tag these ports for whatever VLANs you want to send your guest traffic to.

Typically I would setup the guest traffic to route out the Internet port directly to a reserved port on your firewall. Setup a subnet and assign a .1 to the Internet port and a .254 to your Firewall. You can provide DHCP via a dhcp relay to your firewall or to a internal DHCP server. Use the "Extend Internet Port subnet to LAN port" to alter the DHCP requests going to your DHCP server to show the .1 address of the Internet port as the router id. This will assign and address to clients in this range.

Setup a default route to your firewall over the internet port and an inside route to your internal router (10.0.0.0/8). The guest traffic will be the only traffic that routes over the MSM so you dont need any other routes. The inside route is really only so you can manage the MSM from other VLANs inside your network.

I hope this gets you going in the right direction.
www.traversasolutions.com;http://www.linkedin.com/pub/kyle-massey/22/23/126
Advisor
anthonymel_1
Posts: 12
Registered: ‎01-09-2011
Message 5 of 13 (7,110 Views)

Re: MSM 765zl Configuration

Thank you!! This makes this so much clearer to understand now.

So I'll leave the LAN port untagged and tag the Internet port for my Guest VLAN (VLAN 3). Do I do the tagging in the controller or in the switch?

I'll just have the DHCP Relay go out my Internet port and have the the switch's IP helper on that VLAN handle the relay to the internal DHCP server. Is that ok?

So the default gateway for the controller would be on the VLAN 3 network of 192.168.3.x?

If I understand you correctly the secure clients will enter the network via the AP and will not be routed through the controller. Hence I don't have to worry about the default gateway being on another subnet?

Last where do I place the web site for authentication. Do I need to connect it to a port or does it happen inside the controller itself?

Thanks a lot again. Finally feeling confident about all this.
Advisor
anthonymel_1
Posts: 12
Registered: ‎01-09-2011
Message 6 of 13 (7,110 Views)

Re: MSM 765zl Configuration

This may sound stupid but should I make the default gateway of my guest clients the controller IP? Right now I have it set for the firewall/router.
Advisor
Kyle Massey
Posts: 16
Registered: ‎01-20-2011
Message 7 of 13 (7,110 Views)

Re: MSM 765zl Configuration


You will want to "untag" the internet port for your "internet" vlan. Set the internet port IP address on that VLAN as .1 and make sure your DHCP scope sets this as the clients default gateway (router id).

You then just need to put a default route to the internet vlans gateway on your firewall or switch..wherever it points.



The clients are actually tunneled through the client data tunnell from the AP to the controller and the traffic is handled from the controller, not the AP. The html site is on the controller and you just need to set the VSC for "Access control" and "html authentication".


Let me know if that gets you goin!

Kyle
www.traversasolutions.com;http://www.linkedin.com/pub/kyle-massey/22/23/126
Advisor
anthonymel_1
Posts: 12
Registered: ‎01-09-2011
Message 8 of 13 (7,110 Views)

Re: MSM 765zl Configuration

So I guess I do the untagging on the 5412zl switch, like I would do for any other port?

Setup my DHCP scope for the guest to point the default gateway to the Internet port on the controller. Then setup a default route on the controller for the Internet port going to my Internet port's gateway.

For the guest VSC what should I set the egress port to? Default? or Internet port? Or do I set the egress port on the VSC binding page for my APs?

Let me say that your help has been tremendous. Do you have any other suggestions for me that you ran into in your setup?

Thanks again!
Advisor
Kyle Massey
Posts: 16
Registered: ‎01-20-2011
Message 9 of 13 (7,110 Views)

Re: MSM 765zl Configuration

Yes you would just untag the port on the 5412. The 1st port is the internet port and port 2 is the lan. You can verify by mac address. 'sho mac f1'

Since the traffic is 'routed' at the controller for guests, there is no need to set an egress layer 2 vlan on the binding or vsc.

I usually setup the gateway for the internet port directly on a firewall so that it is completely segregated off the network. Also make sure you use public DNS servers on the controller DNS config, since guests will be using these to resolve internet queries.

Make sure when you setup your DHCP scope for guests to set the DNS server to the Internet port address of the MSM, since it will hijack all DNS requests.

Let me know if that works!
www.traversasolutions.com;http://www.linkedin.com/pub/kyle-massey/22/23/126
Advisor
anthonymel_1
Posts: 12
Registered: ‎01-09-2011
Message 10 of 13 (7,110 Views)

Re: MSM 765zl Configuration

That will do just fine! Thanks for all your help! Greatly appreicated!
Advisor
anthonymel_1
Posts: 12
Registered: ‎01-09-2011
Message 11 of 13 (7,089 Views)

Re: MSM 765zl Configuration

Where should I assign the IP address for the Internet Port? Should I do it through the CLI or through the Web Management site. I say this because if I assign it through the Web Management site it wants to hand out public IPs to clients or VPN to NAT addresses? I don't want this. I just want the Internet Port to egress to a VLAN I assigned it to in the switch. I don't need it to hand out IPs based on NAT or public IPs.
Occasional Visitor
andrewnjue
Posts: 2
Registered: ‎10-03-2011
Message 12 of 13 (6,948 Views)

Re: MS Zeal Configuration

This has interested me.

 

Am having the same sort of problem, with Guest access on internet port. I have a problem on getting the guest traffic tunnelled through the controller to the firewall.  

 

Also i have an problem with the internet port, when i assign it an ip address, that address takes precedence over the LAN ip when it comes to discovering the Controller by APS or sending Radius requests to windows IAS, even though i have configured LAN  port to be used for discovery of the controller.

 

The LAN Port works and allows me to manupulate the network as i want using vlans, but when i try to configure guest access on internet port all fails.

 

Any help will highly be appreciated.

 

Regards,

 

Andrew

Occasional Visitor
imrans
Posts: 2
Registered: ‎08-20-2013
Message 13 of 13 (2,259 Views)

Re: MS Zeal Configuration

Hi ,

 

How can i do this if i have to use Public IP on MSM's Internet Port, i.e. i want to nat a vlan 150  using this public IP in guest VSC scenerio.

 

Imran

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.