Wireless Vlan Configuration 1

[anthonymeluso]

This is probably a dumb question but I'm still unsure if this is right. We have multiple Procurve 5412zl and will be adding procurve wireless AP's soon. We would like to divide our wireless network into two VLAN one for our internal clients that use a RADIUS type configuration and a second VLAN that would be for guest.

My question is how should I configure the switch port that the APs are connected to on the 5412's? Should I tagged the port for both VLAN ids or something else?

Thanks!

 

[cajuntank]

Are you going to be using a wireless controller or just individually configured APs?

With wireless controlled APs, that is all handled via the controller. Configuration on the VSC (Virtual Service Community) will give you options of different methods of authentication and VLANs that are then passed down to the APs to broadcast. So for example. You might have a "Secure" VSC and a "Public" VSC bound to each AP. Then based on certificate or whatever authentication method defined, they would be on the Secure VLAN or the Public restricted VLAN. Here is a link to one of the controller manuals; even if you use the internal 765zl module, the concepts are still valid.

http://cdn.procurve.com/training/Manuals/r531/MSM7xx-MCG-May09-5992-5929.pdf

 

[anthonymeluso]

Yes ill be using a wireless controller. I know I can setup different SSIDs and assign VLANs to each one in the controller, but the APs that are connected to the switch wouldnt I have to tag that port for both VLANs?

 

[cajuntank]

Nope. You will setup some DHCP options (probably still labled Colubris) on your DHCP server. The access points will grab an IP address just like any other regular workstation, but it will get the controller's IP address from the DHCP information. With the wireless controller and APs, think of it like thin client technology... The controller is the thing you address like another switch. You will create VLANs with the same tag ID and name like that which is on your switch. Tag the port from the switch to the controller for the applicable VLANs (maybe a little different if the controller is a zl module). The APs are just the "thin client" part of it.

I have mine setup where I have a secure SSID and a public SSID. I have just the one controller (MSM750), but it handles all APs across my WAN. If a workstation authenticates correctly for my secure SSID, they get a IP address appropriate to their local subnet. If they are guests, then they can sign onto the public SSID which is only in one specific subnet. This means that no matter where they are in my WAN, they will be given addressing from one particular subnet that is tunneled back to the controller where I have firewall rules and bandwidth restrictions just for them.

I am about to replace my 750 with 765zl, so my config I'm sure will change a little, but I will be able to implement another 765zl module later on for redundancy.

 

[anthonymeluso]

Ok thats a little clearer now. Let me post my understaning of this.

Ill setup the ethernet side of the controller with two ips one for each vlan id. These would match the same setup that is on my switches. I will them setup two SSIDs and assign a vlan id to each. On the physical switch port of my 5406zl that is connected to the APs it will be set to one vlan as untagged.

Does this look right?

 

[cajuntank]

Depends... if you have an external controller like I do, the the way I did mine was set a single IP address on the LAN side of the controller. I created a VLAN on the controller just for "Public" SSID/VSC to route out through the WAN interface on the controller (I can't remember for sure, but I think it does this by default, so it maybe the "Secure" SSID/VSC that I created routes for to point back into my network). This WAN interface is in my DMZ network so my Sonicwall firewall handles the firewall aspect, but I could have used the built in firewall feature of the wireless controller had I chose to. My internal switching knows nothing of the "Public" SSDI/VSC VLAN I created on the wireless controller because it doesn't need to. The clients that associate via the "Public" SSID are given an IP address from DHCP service on the controller and routed out the WAN int on the controller to the Internet. The clients that associate via the "Secure" SSID are routed back internally on the private network and are thus given addresses from their local DHCP server on their campus.

Again, there are several ways to do the setup and it just depends on your needs. The LAN port on the controller does support port tagging and as long as you VLAN tags are the same, can "trunk" (Cisco term) VLANs.

The implementation guide goes through several scenarios but you will need a HP Passport to access.

https://my.procurve.com/mymanuals/mymanuals.aspx?wp=solutiondocs

Happy Holidays.

 

[anthonymeluso]

Cajuntank,

Thanks for all your help. I was actually told by an HP rep that if you have a infrastructure in place just use that instead of the switch and the controller as a DHCP server and firewall.

So right now everything goes through my ISA server. So essentially when a client connects to the public VLAN, the ISA server will relay the DHCP request to my internal DHCP server. From there all requests from the public network to the internal network is blocked on the ISA server except for DNS and DHCP. All HTTP and HTTPS traffic to the Internet is allowed through and filtered by Websense.

I'm a mid sized school so maybe the rep thought that was the best for me.

On a side note do you have any experience with HP guest services, where public VLAN connections are authenticated via the web using an assigned user name and password?

Thanks.

 

[cajuntank]

That might be what I ran into when I first configured it. I think I had to use the controller's DHCP to hand out addresses to the Public SSID so I could do controller based authentication for that SSID. I just have a plain generic username and password defined at the controller for the web based authentication to proxy through and work out through the controller's WAN int. The Secure SSID uses Windows Radius server for my other authentication means.

 

[anthonymeluso]

Ok so I performed a little test today. On one of my switches I turned on ip routing and enabled a helper-address on one of the VLANs. When I connected a client to one of the VLANs untagged ports I get the correct DHCP address for that VLAN.

My only concern is from a security perspective. That switch is not my main router. All my clients point to the ISA server as the default gateway. So basically I turned on ip routing just to get the DHCP address to be assigned correctly.

Is this safe? Should I set the default gateway to the switch?

 

[cajuntank]

Your switch would then have a route defined to go to the ISA to get to the Internet. It's always best practice to keep hops to a minimum so if you don't need that traffic to be processed by the ISA box to get to other internal subnets, then choose whatever layer 3 routing device is closest to them. This keeps more traffic off of those uplinks.

"Is this safe?" What exactly are your concerns? This is internal traffic we are talking about, correct?

 

[anthonymeluso]

Ok thanks. Yes its internal traffic so all should be well there.

You have been of much help!

Happy new year!

 

[anthonymeluso]

Cajuntank,

Sorry to bother you again but while I understand how this type of environment would work, what happens if I have more than one switch on my network. For instance the wireless edge service module is installed in the MDF but I have radios connected to my IDF switch as well. Would I have to open up a Vlan 2100 between the switches them? Or does the radio do some type of broadcast then configure the port for Vlan 2100 at the IDF?

Thanks!

 

[cajuntank]

Again, think of the access points as dumb terminals connecting to a Unix server... does not matter if the access points are hanging off a IDF switch in the next room, or a switch 100 miles away across a WAN, if you have your DHCP options pointing to that wireless controller, it's the "Unix server". As stated, I have mine setup in this scenario so could have "Secure" SSID access to that access points local subnets, or "Public" SSID so that I could tunnel that traffic, even though it might be 100 miles away, back to my controller, to that one subnet. So for example, I might have created a subnet of 192.168.10.0/24 for that "Public" SSID. No matter where in my network the user is, next room, or 100 miles away across multiple switches and routers, if that user associates with "Public" SSID, then they get an address from the 192.168.10.0 subnet. There is nothing to implement on the switches and routers along the way as long as the AP can normally talk to the network with the address it was given from DHCP. That 192.168.10.0 host tunnels it's traffic through the regular subnets, back to the controller, where it exits the WAN port of the controller to the Internet.

 

[anthonymeluso]

Thanks. I just had read somewhere that the radios communicate over VLAN 2100 and was wondering if this needs to be created on my other switches.

 

[cajuntank]

On the original HP wireless tech (not Colubris), that was the default I believe. HP is not developing anything further for that tech even though they might still sell it some in lieue of what they bought from Colubris. Also, now that they have 3COM tech, it will be interesting on who's product line they will ultimately continue developing for.

 

[anthonymeluso]

I just realized today I was looking at the older Wireless Edge Services module not the newer 765zl one lol. I just read this post again and everything make so much more sense now.

I think I'm going to do the following setup that is similar to yours the "Secure" SSID will only authenticate through the controller as a RADIUS proxy for my internal RADIUS server. After that I binded the VSC to egress out to VLAN 1 (our internal network) From what I understand that means traffic from clients would just go from AP to the switch and therefore the network. The controller is not involved.

For my "Public" SSID I'm using authentication and access control and will tunnel all client data. I will have HTTP authentication turned on and have the clients get a DHCP address from the controller. It will egress out the WAN port.

Now about the WAN port.. I'll place it on VLAN 3 which I created on the switch that is connected to our ISA server which has a NIC connected to a untagged VLAN 3 port. If I setup the DHCP server correctly the "Public" clients would point to the ISA server NIC on this VLAN. From there I can control it's access to the internal network and Internet.

Does this make sense... I spend all day reading the manual and its sick on what this thing can do. I feel they tried to make this the holy grail of networking.

Thanks for all your help!

 

[anthonymeluso]

Cajuntank,

I just read that I can't have a DHCP server running when I have teamed controller. So would a DHCP relay work and have it point to your our internal DHCP server? How would it know what subnet to assign it?

Thanks so much.

 

[cajuntank]

Teamed controller? Are you saying you have two wireless controllers for redundancy, or something else?

 

[anthonymeluso]

Yeah two wireless controllers for redundancy. We are planning on installing over 90 APs through out the campus. Now with the limitations that come with teaming controllers, I have no idea what my VSC for guests will look like. What would be my ingress port (if I even need it) and what would be my egress port and of course what about DHCP request over the guest wireless network.

Right now my current thinking would be ingress over my Internet port which is on my wirleess guest VLAN then egress from that same port, if that is even possible. I know I want the HTTP authentication web site to reside on the Internet port so I think I need my guest traffic to ingress from there. I know I need some type of DHCP relay looking at the client data tunnel for DHCP broadcast.

I can't believe the guest SSID is that confusing to configure. The much more secure SSID is a breeze. Thanks for sticking with me on this one. Sorry if I'm a pain.

 

[anthonymeluso]

Cajuntank,

Any ideas on my configuration. I also posted this question in the HP forums and my only response was someone from Turkey in broken English.

Thanks again!