08-04-2011 04:13 AM - last edited on 12-01-2013 07:16 PM by maikoro
Hi HP MSM's mates.
Since a few weeks (or month) we try to add a guest access to our existing wireless configuration :
- MSM730 controlller
- Few AP's connected on the lan port into a specific VLAN on the switche(s) (unttaged)
- Hp PoE switches
- 2 VSC each egressed to a different vlan on internet port :
- First VSC = business > egressed to vlan 2 on the internet port with an ip adress > this internet port connected to a firewall on vlan 2 to connect to the rest of the network
- Second VCS = guest > egressed to vlan 4 on the internet port with an ip adress > internet port connected to the same firewall / routeur on the vlan 4 to connect to map to the internet.
Specials options on the MSM :
- Expand Internet port subnet to the Lan Port
- Dhcp relay on each VSC, redirecting each VSC to 2 different dhcp server. IP adressing works fine.
- Access control enabled on each VSC.
With this configuration we can connect to each VSC an obtain the good IP adress and association.
You can ping controller vlan on the internet port and firewall vlan port.
1- Does this configuration seems to be correct for you?
2- The lan port seems to doing route job beetween the two VLAN (and then between the two VSC). So even if a client of one VSC can't ping a client on the other VSC, I'm suprised to see that a client associated on a VSC can ping the VLAN port of the other VSC. The Vlans dont's seems to be completely isolated.
3- How do you configure the routing table to permit to the two VSC clients to be routed to the good place on the firewall ?
I hope this is not too confusing. I can give additionnal informations on demand. Thanks in advance.
P.S : If I completely mismatch the good configuration could you suggest me the good one? Bye
P.S. This thread has been moved from Communications, Wireless (Legacy ITRC forum) to MSM Series. - Hp Forum Moderator
08-05-2011 06:02 AM
I answer to myself, but unfortunately not to tell you that I solved my problem.
I really don't understand WHY my two Vlans aren't perfectly isolated.
- A user connected to a VSC egressed to a Vlan X can ping the adress of the internet port of MSM VLAN's Y !
- That certainly the reason why I can't put two routes in the routing table. I'd like to put one route per vlan, but this, as we can guess, crash the controller management interface. (the packets don't know which route to use).
- Ho can I correctly isolate my two Vlans??? (or where do I make a network mistake?)
Any help would be fully appreciated...
08-08-2011 08:32 AM
Another try, another problem :
I really don't know how to isolate (separate) traffic between two VSC. No success with Vlan configuration, no success without.
I don't find how to make the internal firewall works, because it controls the internet port and all trafic follow the bridge port to communicate inter-vsc.
Even with the "Allow traffic between "no" Wireless clients", my public clients ping the workers clients.