Rev. 12.31 6–1 VLANs Module 6 Objectives This module reviews strategies for properly integrating your wireless solution into a wired infrastructure. You will use what you have learned about connecting the MSM Controller to the network, deploying APs, and forwarding both access-controlled and non-access-controlled client traffic onto the wired network. After completing this module, you should be able to: Apply network profiles in the correct way to fulfill specific functions: Manage the MSM Controller Manage MSM APs Forward wireless client traffic in the desired VLAN in non-access-controlled VSCs Map wired traffic to an access-controlled VSC Forward client traffic in the desired VLAN in access-controlled VSCs Implement user-based VLANs and predict how they interact with static VLANs Enable access-controlled clients to receive IP addresses from a network DHCP server NOTES _______________________________________________________________________ _______________________________________________________________________ _______________________________________________________________________ _______________________________________________________________________ _______________________________________________________________________ _______________________________________________________________________ _______________________________________________________________________ _______________________________________________________________________ HP USE ONLY
58
Embed
ONLY USE HP - niche-associates.com€¦ · subnet assigned to each VLAN and, specifically, the IP address of the VLAN’s default gateway. Although the figure, for simplicity, shows
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Rev. 12.31 6–1
VLANs Module 6
Objectives This module reviews strategies for properly integrating your wireless solution into a wired infrastructure. You will use what you have learned about connecting the MSM Controller to the network, deploying APs, and forwarding both access-controlled and non-access-controlled client traffic onto the wired network.
After completing this module, you should be able to:
Apply network profiles in the correct way to fulfill specific functions:
Manage the MSM Controller
Manage MSM APs
Forward wireless client traffic in the desired VLAN in non-access-controlled VSCs
Map wired traffic to an access-controlled VSC
Forward client traffic in the desired VLAN in access-controlled VSCs
Implement user-based VLANs and predict how they interact with static VLANs
Enable access-controlled clients to receive IP addresses from a network DHCP server
Implementing and Troubleshooting HP Wireless Networks
6–2 Rev. 12.31
Discussion topics
Figure 6-1: Discussion topics
Begin by reviewing the standard strategies for deploying various models of MSM Controller.
HP USE
ONLY
VLANs
Rev. 12.31 6–3
Basic solution for connecting the MSM Controller
Figure 6-2: Basic solution for connecting the MSM Controller
The figure displays an example network which you will examine throughout this module. The figure has been simplified to show a group of edge switches and two core routing switches, which, as an HP Intelligent Resilient Framework (IRF) group, functions as a single entity. The lines between these switches do not represent the precise physical connections but rather indicate Layer 2 connectivity of some sort. In addition, lines to the user VLAN and the server VLAN do not necessarily show all intervening devices. You are primarily interested in the switch ports that connect directly to your MSM products, so the figure focuses on those.
Table 6-1 indicates the VLANs used in this network. The final column specifies the subnet assigned to each VLAN and, specifically, the IP address of the VLAN’s default gateway. Although the figure, for simplicity, shows switches in the Management VLAN, these switches actually support all VLANs at the site. Throughout this module, remember that all of the VLANs at the site are extended through the switch infrastructure.
Table 6-1: Corporate LAN VLANs
VLAN purpose VLAN ID Default gateway (core routing
Management (infrastructure devices)
8 10.1.8.1/24
Users 16 10.1.16.1/23 Servers 24 10.1.24.1/24
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–4 Rev. 12.31
Questions You are deploying an MSM760 Access Controller in this infrastructure. The network administrators have assigned the controller an IP address in VLAN 8, 10.1.8.50/24. You will manage the controller on that IP address.
1. Unless you have a specific reason to choose a different design, where should you configure this IP address on the controller?
Following best practices, the network administrators have created a new VLAN and subnet for the APs, VLAN 32 and 10.1.32.0/24. The APs connect to the switch ports that are untagged on VLAN 32 (you could also provision the APs to connect on tagged ports). Placing the APs on their own VLAN prevents someone from disconnecting the AP, connecting their own device, and receiving access on the switch management VLAN.
In this solution, the network DHCP server provides the IP addresses for the APs.
Table 6-2: Corporate LAN VLANs + AP VLAN
VLAN purpose VLAN ID Default gateway Management (infrastructure devices)
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
Now assume that you have decided to use Layer 3 discovery instead of Layer 2 discovery. Assume that the controller has the Internet port network settings described earlier, but otherwise is using default settings. Answer the questions for a Layer 3 discovery strategy.
7. Do you need to create a network profile on the MSM Controller to meet the company’s requirements?
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
Now assume that the company has deployed MSM APs at several sites. The core routing switch supports the VLANs indicated in Table 6-2 and also knows routes to the networks at site 2.
The APs at site 2 require Layer 3 discovery, so the company has decided to implement this type of discovery for all APs. The APs can reside on their own dedicated VLAN at each site and discover the MSM760 at its management IP address, 10.1.8.50. The company has both a DNS server and a DHCP server that can inform the APs of the controller’s address. In this solution, the DHCP server does so.
The following figure provides a detailed look at the controller’s current ports and IP interfaces. As you can see, the controller’s untagged LAN port interface is using a default IP address of 192.168.1.1/24, but the physical LAN port is not connected. HP U
SE O
NLY
Implementing and Troubleshooting HP Wireless Networks
6–10 Rev. 12.31
Figure 6-5: Internal view of the IP interfaces on the MSM760 ports
You will now focus on configuring ports on the MSM765 zl.
HP USE
ONLY
VLANs
Rev. 12.31 6–11
Special considerations for deploying the MSM765 zl
Figure 6-6: Special considerations for deploying the MSM765 zl
The MSM765 zl Premium Mobility Controller is a module that resides inside an HP zl Series switch. You treat <slot>1 and <slot>2 like the switch ports that connect to controller’s Internet and LAN ports, respectively. However, rather than disable <slot>2 to mimic leaving the port unconnected, you should isolate the LAN port by placing <slot>2 in an unused VLAN.
Implementing and Troubleshooting HP Wireless Networks
6–12 Rev. 12.31
Special considerations for deploying an MSM720
Figure 6-7: Special considerations for deploying an MSM720
The MSM720 ports are switch ports rather than router ports, so you can assign the same VLAN and IP interface to multiple physical ports. You can also group ports into link aggregation groups (called trunks), which operate in either static or LACP active mode.
These features give you additional flexibility in setting up VLANs on the MSM720 and connecting the device to the network.
The figure shows one example of a design:
The administrator assigns the controller’s management IP address, 10.1.8.50/24, to the Internet network profile and changes the profile’s VLAN ID to 8.
The administrator creates a new network profile for the APs VLAN and assigns the profile VLAN ID 32 and IP address 10.1.32.50/24.
The administrator places ports 1 and 2 in Trunk 1, a static link aggregation group, which connects to a switch that supports APs. (In the real world, several switches might support the APs.)
The administrator assigns the AP VLAN as the untagged VLAN on Trunk 1. This VLAN replaces the default untagged VLAN, Access network. Connecting the APs directly to the controller means that the core routing switches do not need to handle their traffic.
The administrator places ports 5 and 6 in Trunk 2, a static link aggregation group that connects to both core routing switches. The administrator is able to create a link aggregation for these redundant links to different physical chassis because the devices are part of an HP IRF group.
HP USE
ONLY
VLANs
Rev. 12.31 6–13
Note You could create a similar solution when the MSM720 connects to switches that do not support IRF. The switches would need to support a distributed trunking protocol.
Trunk 2 supports the Internet network as the untagged VLAN.
The AP switch connects to the core IRF group on both VLAN 8 and VLAN 32. This configuration enables the APs to reach the core routing switch and receive IP addresses through DHCP relay.
You need to take care not to introduce a loop in any VLAN so as to prevent broadcast storms from interfering with connectivity. In this example, the AP switch connects to the MSM720 and the core IRF group on VLAN 32. However, the MSM720 and core IRF group do not need to connect on this VLAN, and no loop is introduced.
Similarly, the MSM720 and two AP switches connect to the core IRF group on VLAN 8, but not to each other.
As you see, this design features high bandwidth and redundancy for both connections to APs and to the corporate LAN core. At this point, high bandwidth is not truly necessary, but, as you have learned, APs might tunnel client traffic on Trunk 1, and the controller might forward that traffic out Trunk 2.
Additional guidelines on link aggregation groups Follow these guidelines when creating a link aggregation groups:
A static link aggregation group supports up to two links. Use static mode when possible because this option provides greater flexibility. A static link aggregation group supports both tagged and untagged VLAN assignments. You can also select different VLAN assignments for different trunks.
Use an LACP link aggregation group when you require up to four standby links in addition to two active links. An LACP link aggregation group only supports untagged traffic in the default VLAN. By default, the Access network acts as the default VLAN, but you can change this setting so that any network profile is the default VLAN.
To prevent loops, disable the ports before you add them to a link aggregation group. Finish adding ports to the group and assigning VLANs to the group. Only then should you re-enable the ports.
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–14 Rev. 12.31
Discussion topics
Figure 6-8: Discussion topics
You now will review how to assign clients to VLANs and ensure that the wired infrastructure can receive that traffic. The solution depends largely on whether clients connect to access-controlled or non-access-controlled VSCs. You will review non-access-controlled VSCs first, as this is the simpler scenario.
HP USE
ONLY
VLANs
Rev. 12.31 6–15
Forwarding non-access-controlled clients on a VLAN
Figure 6-9: Forwarding non-access-controlled clients on a VLAN
The company has a VSC for an employees’ WLAN that implements WPA/WPA2 and 802.1X authentication. The company wants all of these clients to receive IP addresses and forward their traffic in the same VLAN as employees with wired connections.
Questions 1. Do you need to create a network profile to meet this requirement?
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
3. Where does the clients’ traffic enter the corporate LAN wired infrastructure? Which switch ports require a change in VLAN assignment, and what is that change?
4. In the figure on the previous page, trace the traffic flow between an authenticated wireless client and a server. The figure does not show all physical links and their VLAN assignments. Assume that the switch-to-switch links carry all VLANs.
HP USE
ONLY
VLANs
Rev. 12.31 6–17
Multiple VLANs for non-access-controlled clients: Location-based
Figure 6-10: Multiple VLANs for non-access-controlled clients: Location-based
An MSM solution can span multiple sites. Sometimes, the sites connect through a Layer 2 technology such as fiber-based Ethernet, a Layer 2 Multiple Protocol Label Switching (MPLS), or Virtual Private LAN Service (VPLS). In that case, you can plan the VLANs as for a single site.
Many sites, however, connect over routed links.
Sometimes a company uses the same VLAN IDs for the same purposes at every site even though the VLANs are associated with different subnets. For example, VLAN 16 at the main site is associated with 10.1.16.0/23, but VLAN 16 at site 2 is associated with 10.2.16.0/24. In this case, you can assign users to the same VLANs no matter where they connect.
Often, though, each site has its own set of VLANs, and the MSM APs must forward users’ traffic in the correct VLAN for the location. The figure illustrates a solution of this type.
Implementing and Troubleshooting HP Wireless Networks
6–18 Rev. 12.31
Table 6-4: Corporate LAN VLANs at site 2
VLAN purpose VLAN ID Default gateway Management (infrastructure devices)
208 10.2.8.1/24
Users 216 10.2.16.1/24 APs 232 10.2.32.1/24
Question
How do you adjust the solution so that APs at the main site forward wireless users’ traffic on VLAN 16 but APs at site 2 forward wireless users’ traffic in VLAN 216?
Multiple VLANs for non-access-controlled clients: User-based
Figure 6-11: Multiple VLANs for non-access-controlled clients: User-based
Now the company wants to divide users into different VLANs based on their identity.
Assume that the controller is acting as the RADIUS server. In “Module 4: Wireless Security,” you learned how to create local user accounts for authenticating users, and in “Module 5: Guest Solutions,” you learned how to apply account profiles to user accounts. Although non-access-controlled profiles support fewer settings than access-controlled ones, they allow you to set an egress VLAN.
The non-access-controlled user’s egress VLAN is a bit different from an access-controlled user’s egress VLAN. The non-access-controlled user’s egress VLAN is simply a dynamic RADIUS VLAN. It overrides the VLAN ID assigned in the VSC binding; the AP then forwards the user’s traffic with that VLAN ID. The AP can forward other users’ traffic with other IDs.
You can specify any VLAN ID in the account profile. The ID does not have to exist in a network profile on the MSM Controller. Of course, the VLAN should exist in the network infrastructure.
Based on these guidelines, plan a solution for a hospital with two user groups:
Billing staff = VLAN 18
Medical staff = VLAN 20
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–20 Rev. 12.31
Table 6-5: Corporate LAN VLANs, including multiple user VLANs
VLAN purpose VLAN ID Default gateway Management (infrastructure devices)
Next you will review how to establish subnets for access-controlled clients as well as how to control where the clients’ traffic is forwarded in the protected network.
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–22 Rev. 12.31
Goals for the review
Figure 6-13: Goals for the review
You will look at three types of access-controlled traffic so that you can practice creating solutions for each:
Wireless traffic that is tunneled to the controller
Wired traffic
Wireless traffic that is not tunneled to the controller
Typically, your solution would feature either tunneled or non-tunneled wireless traffic, depending on the needs of the environment. To either of those solutions, you could add wired traffic.
Therefore, you will first examine tunneling wireless guests’ traffic and assigning the guests to a subnet without VLANs. You will then review how you can use VLANNs to apply the solution to wired guests. From there, you will move on to solutions for egressing the guests’ traffic.
Only then will you review the alternative solutions, in which both wired and wireless users are placed on an unprotected VLAN.
HP USE
ONLY
VLANs
Rev. 12.31 6–23
Assigning guests to a subnet without VLANs
Figure 6-14: Assigning guests to a subnet without VLANs
The company is now adding a VSC for guests to the solution. The controller will handle the traffic as well as implement Web authentication (Web-Auth) to its own guest accounts. Guests are assigned to subnet 10.1.48.0/23, which does not exist anywhere else in the network. For now, assume that the MSM Controller will act as the DHCP server.
For a use case such as this, you can easily implement the solution without adding a VLAN for the guests.
Questions: Default VSC Explain how you can meet the requirements when you use the default VSC for the Guest WLAN.
1. Do you need to create a network profile to meet this requirement?
Implementing and Troubleshooting HP Wireless Networks
6–24 Rev. 12.31
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
Using VLANs to apply access control to wired clients
Figure 6-15: Using VLANs to apply access control to wired clients
Currently, all unused switch ports at the main site are assigned to VLAN 1, which does not provide network access. The company wants the controller to use its guest VSC to provide controlled network access and Web-Auth for any user who connects to one of these ports.
Questions: Default VSC Explain how you can meet the requirements when you use the default VSC for the Guest WLAN.
1. Do you need to create a network profile to meet this requirement?
Implementing and Troubleshooting HP Wireless Networks
6–28 Rev. 12.31
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
Figure 6-16: Using VLANs to route authenticated guest traffic
The company now wants to route all authenticated guest traffic on VLAN 64, subnet 10.1.64.0/24, which connects directly to the Internet gateway.
The table shows the subnets associated with the VLANs shown in the figure. (The company might have more subnets, but they are not relevant to this solution.) Devices in the corporate LAN are the default gateways for all subnets except Guests. The controller routes guest traffic.
Implementing and Troubleshooting HP Wireless Networks
6–32 Rev. 12.31
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
Assigning user-based VLANs for routing authenticated guest traffic
Figure 6-17: Assigning user-based VLANs for routing authenticated guest traffic
Next assume that a hospital wants to route different guests’ traffic out different VLANs. The MSM Controller routes normal visitors’ traffic directly to the Internet router on VLAN 64. Visiting students, however, are allowed access to a bank of resources; a gateway in VLAN 72 handles their traffic and applies the correct access controls.
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
What is the traffic flow for various guest users? At each step, indicate whether the device tunnels the traffic, forwards the traffic toward its destination at Layer 2, or routes the traffic.
Questions For these questions, assume that users have authenticated.
1. How is traffic for a wireless visitor at the main site forwarded?
Alternatives: Using VLANs to implement access control for wireless clients
Figure 6-19: Alternatives: Using VLANs to implement access control for wireless clients
VLAN 1 establishes an unprotected network in which users can reach any resources deployed there. Now consider a situation in which the company wants to place unauthenticated wireless guests in this VLAN as well. This solution works only for guests connected to APs that can obtain a Layer 2 connection to the controller (whether the APs are deployed at the same site or whether a remote site has a Layer 2 connection to the main site).
Questions: Adjusting the AP discovery For this solution, you need to adjust how the controller discovers and manages APs at the main site. Explain what you must do.
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
4. How is the traffic flow for a wireless visitor connected at the main site different from the traffic flow described on the previous slide? (Again, assume that the user is authenticated.)
b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?
4. How is the traffic flow for a wireless visitor connected at the main site different from the traffic flow described on the previous slide? (Again, assume that the user is authenticated.)
Alternatives: Implementing a similar solution on an MSM720
Figure 6-20: Alternatives: Implementing a similar solution on an MSM720
The figure displays a solution similar to the one that you planned earlier in the module. In this solution, however, the main site APs discover the controller at Layer 2, all of the their management traffic flowing directly to the MSM controller. Other APs discover the controller at Layer 3 on its Internet network IP address.
The APs are already configured to forward employees’ traffic in VLAN 16 at the main site and VLAN 216 at site 2 (that is, the network profiles for these VLANs are specified in the appropriate AP group VSC bindings). The figure on the next page shows the set up in more detail.
You must now plan how to set up a guest solution that allows visitors to connect wirelessly at the main site, wirelessly at site 2, and with Ethernet connections at the main site (unused ports are in VLAN 1). The controller will provide IP addresses to the guests, allow the guests to log in through its internal login pages, and prevent the guests from reaching any network resources until they log in. After the guests log in, they should be able to access the Internet only.
You must plan how to implement this solution.
Note Although the figure on the next page shows the MSM720 ports connected, you would assign the correct VLANs to the ports before connecting them.
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–42 Rev. 12.31
Table 6-8: Corporate LAN VLANs, including guest VLAN/subnet
2. Make a plan for creating network profiles, if necessary. Also plan how to assign profiles (new and existing) to the MSM720 trunks (link aggregation groups).
3. Do you need to create any new IP interfaces? If so, what are the appropriate settings? Do you need to adjust IP settings for existing IP interfaces? If so, how?
Implementing and Troubleshooting HP Wireless Networks
6–44 Rev. 12.31
5. What additional MSM settings do you need to configure to ensure that guests receive IP addresses and that the controller can receive and forward their traffic? (You might configure additional settings for the guest solution, in general, but you do not need to list those.)
In Lab Activity 6.1, you will assign user-based VLANs to employees and also an egress VLAN to authenticated guests. You will explore the differences in the solutions.
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–46 Rev. 12.31
Lab Activity 6.1 debrief Use the space below to record your key insights and challenges from Lab Activity 6.1.
Table 6-9: Debrief for Lab Activity 6.1 Challenges Key Insights
Use the space below to record your thoughts about various deployment strategies that you explored during Lab Activity 6.1.
Until now you have learned how to implement access-controlled solutions in which the MSM Controller acts as the DHCP server. Some enterprises, however, prefer to handle all IP assignments from their network DHCP servers. To meet this need, you configure DHCP relay.
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–48 Rev. 12.31
Using DHCP relay for access-controlled clients
Figure 6-24: Using DHCP relay for access-controlled clients
To configure DHCP relay for access-controlled clients, you must enable DHCP relay globally from the Controller >> Network > Address allocation window. Select the option and click Configure. From that window, you configure the settings for DHCP as implemented on the untagged LAN port (or Access network) interface and the default VSC. You also choose whether to relay DHCP requests received on the untagged LAN port (or Access network), on client data tunnels to access-controlled VSCs, or both.
When the controller relays a request, it includes its relay IP address:
For requests received on the untagged LAN port (or Access network), this is the controller’s IP address on that interface. This IP address is also the relay address for requests received on the default VSC.
For requests received on other access-controlled VSCs, you specify an IP address and subnet mask.
The controller creates a virtual IP interface for this IP address (just as it does for the gateway address for VSC DHCP server settings). Therefore, the same guidelines apply. The subnet must be unique (not defined on any other IP interface).
The DHCP server scope for the subnet must specify the controller’s relay address for the default gateway and for the DNS server IP address as well.
Note You can specify external DNS servers, but this solution requires additional setup: An access list rule permits unauthenticated guests to send DNS requests to the server. The server resolves the controller’s HTML authentication certificate subject name to the
controller’s untagged LAN port (or Access network) IP address. (When you use the controller as the DNS server, that is not required.)
Just as when you use the DHCP server, the guest subnet generally does not exist in the wired infrastructure—although the DHCP server does have a scope for it.
HP USE
ONLY
VLANs
Rev. 12.31 6–49
You learned two methods for routing traffic back to this virtual subnet in “Module 5: Guest Solutions.” You can implement NAT on the IP interfaces that forward traffic from the VSCs, or you can create routes in the wired infrastructure. When you use DHCP relay, you should use the route option. This is because the server sends the DHCP replies back to the relay IP address, which needs to be in the actual guest subnet.
Create the route on the server’s default gateway. On the controller, disable NAT on any IP interface that will forward guest traffic.
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–50 Rev. 12.31
Resolving potential issues with the firewall
Figure 6-25: Resolving potential issues with the firewall
Sometimes a DHCP server sends pings to clients to determine whether it can assign a leased IP address to another client. You might need to adjust the controller’s firewall, which is enabled by default, to allow these pings to reach access-controlled clients. Note that this firewall is different from the access lists, which apply to access-controlled clients before their traffic is routed out an interface. The firewall applies to traffic as it is routed out or in an IP interface.
When necessary, follow this process to adjust:
1. Navigate to Controller >> Security > Firewall.
2. Select Custom Firewall and click Edit.
3. You might want to use the same rules enforced at the High setting as a baseline. These rules allow any outbound traffic from clients (that access lists have already allowed) except NetBIOS traffic. It drops inbound ICMP traffic and inbound traffic for new or invalid sessions. The table illustrates those in more detail.
To quickly duplicate these rules, make sure that the Reset to list displays High. Then click Reset to.
4. You can then add your own rules by clicking Add New Rule.
These rules include these components:
Source IP address and mask (or Any)
Destination IP address and mask (or Any)
Direction (incoming from the protected network or outgoing from access-controlled clients)
Action (accept or deny)
Services (select the predefined service to permit or deny certain types of traffic)
Stateful settings (allows you to define different actions based on, for example, whether traffic is part of an existing or new session)
To create rules for allowing the necessary pings and ping replies, follow these steps:
HP USE
ONLY
VLANs
Rev. 12.31 6–51
a. When you clicked Add New Rule, a new window is displayed.
b. For Source, type the DHCP server’s IP address.
c. For Source mask, type 255.255.255.255.
d. For Destination, leave ANY, or type the subnet address for the guests. If you choose the second option, type the guest subnet mask in the Destination Mask field.
e. For Direction, select Input.
f. For Action, select Accept.
g. For Services, from the Presets list, select ICMP Echo.
h. Click Add.
i. Click Add New Rule to allow replies from the guest clients.
j. For Source, leave ANY, or type the subnet address for the guests. If you choose the second option, type the guest subnet mask in the Source Mask field.
k. For Destination, type the DHCP server’s IP address.
l. For Destination mask, type 255.255.255.255.
m. For Direction, select Output.
n. For Action, select Accept.
o. For Services, from the Presets list, select ICMP Echo Reply.
p. Click Add.
5. You can also create other rules. When you have finished, click Save.
Table 6-10: Rules for the Firewall at the preset High level Source Destination Service Protocol Direction Action Stateful ANY ANY Type: 5 –
Redirect, code: 0-255
ICMP In Drop
ANY ANY ANY In Drop Invalid, New ANY ANY NetBIOS TCP TCP Out Drop ANY ANY NetBIOS UDP UDP Out Drop
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–52 Rev. 12.31
Extending the egress VLAN to access-controlled clients
Figure 6-26: Extending the egress VLAN to access-controlled clients
In all the options that you have examined, access-controlled clients have IP addresses in one subnet and the controller routes their traffic out another. As you have learned, an egress VLAN limits the forwarding interface but does not affect the subnet on which the client receives its IP address. You can, however, adjust an access-controlled solution so that the egress VLAN in the VSC functions more like an egress VLAN for non-access-controlled clients. That is, clients receive IP addresses in that VLAN—although the controller still routes their traffic before the traffic reaches the egress VLAN’s default gateway. Follow these guidelines:
Apply the egress VLAN to unauthenticated clients in the VSC (as well as to authenticated clients).
In the global DHCP relay settings, select the check box for extending the ingress interface to the egress interface.
In the VSC DHCP relay settings, select the Extend to egress interface option. You can no longer specify the IP address and subnet mask. You also cannot specify the DHCP server in the relay settings. The MSM Controller simply forwards the request on the egress VLAN IP interface. If the DHCP server does not reside on that VLAN, the VLAN’s default gateway in the network infrastructure must implement DHCP relay.
Disable NAT on the egress VLAN IP interface.
Because the egress VLAN already exists in the wired infrastructure, you do not need to create a route for it.
HP USE
ONLY
VLANs
Rev. 12.31 6–53
Follow the same guidelines indicated on the previous page for the DHCP pool. Set the MSM Controller’s IP address for the default gateway and DNS server.
This figure below illustrates how the controller applies the DHCP settings for this solution. You can compare this figure to Figure 6-24. As you see, in this solution, the controller is the default gateway for clients in their subnet, but another routing device in the VLAN acts as the controller’s default gateway. This device also implements DHCP relay to the server.
Figure 6-27: DHCP communications when you extend the egress VLAN to access-controlled clients
HP USE
ONLY
Implementing and Troubleshooting HP Wireless Networks
6–54 Rev. 12.31
Lab Activity 6.2
Figure 6-28: Lab Activity 6.2
You will next implement DHCP relay for access-controlled clients.
Consult your Lab Guide for instructions for performing this activity.
HP USE
ONLY
VLANs
Rev. 12.31 6–55
Lab Activity 6.2 debrief Use the space below to record your key insights and challenges from Lab Activity 6.2.
Table 6-11: Debrief for Lab Activity 6.2 Challenges Key Insights
Use the space below to record your thoughts about various deployment strategies that you explored during Lab Activity 6.2.
Implementing and Troubleshooting HP Wireless Networks
6–56 Rev. 12.31
Summary
Figure 6-29: Summary
In this module, you have put together everything that you have learned so far about planning VLANs and networks for your MSM solution:
VLANs for managing the MSM Controller and APs
VLANs for non-access-controlled clients
Networks and VLANs for access-controlled clients
You also learned how to relay access-controlled, or guest, clients’ DHCP requests to a network DHCP server. As part of this discussion, you learned how to extend DHCP relay onto an access-controlled VSC’s egress VLAN. In this way, you can assign access-controlled clients IP addresses in the same VLAN in which their authenticated traffic is eventually routed.
HP USE
ONLY
VLANs
Rev. 12.31 6–57
Learning check Answer the following questions:
1. An MSM Controller acts as the RADIUS server for an employee VSC (using 802.1X) and a guest VSC (using Web-Auth). It has non-access-controlled account profiles for the employees and access-controlled-profiles for the guests. Both types of profiles assign egress VLANs. What are some differences between the VLANs?
2. You have set up DHCP relay on an access-controlled VSC. You specified 10.1.40.1 as the subnet address and 255.255.255.0 as the mask. What settings should the DHCP scope on the external DHCP server include?