ONLY USE HP - niche-associates.com€¦ · subnet assigned to each VLAN and, specifically, the IP address of the VLAN’s default gateway. Although the figure, for simplicity, shows

Rev. 12.31 6–1

VLANs Module 6

Objectives This module reviews strategies for properly integrating your wireless solution into a wired infrastructure. You will use what you have learned about connecting the MSM Controller to the network, deploying APs, and forwarding both access-controlled and non-access-controlled client traffic onto the wired network.

After completing this module, you should be able to:

Apply network profiles in the correct way to fulfill specific functions:

Manage the MSM Controller

Manage MSM APs

Forward wireless client traffic in the desired VLAN in non-access-controlled VSCs

Map wired traffic to an access-controlled VSC

Forward client traffic in the desired VLAN in access-controlled VSCs

Implement user-based VLANs and predict how they interact with static VLANs

Enable access-controlled clients to receive IP addresses from a network DHCP server

NOTES

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

Implementing and Troubleshooting HP Wireless Networks

6–2 Rev. 12.31

Discussion topics

Figure 6-1: Discussion topics

Begin by reviewing the standard strategies for deploying various models of MSM Controller.

HP USE

ONLY

VLANs

Rev. 12.31 6–3

Basic solution for connecting the MSM Controller

Figure 6-2: Basic solution for connecting the MSM Controller

The figure displays an example network which you will examine throughout this module. The figure has been simplified to show a group of edge switches and two core routing switches, which, as an HP Intelligent Resilient Framework (IRF) group, functions as a single entity. The lines between these switches do not represent the precise physical connections but rather indicate Layer 2 connectivity of some sort. In addition, lines to the user VLAN and the server VLAN do not necessarily show all intervening devices. You are primarily interested in the switch ports that connect directly to your MSM products, so the figure focuses on those.

Table 6-1 indicates the VLANs used in this network. The final column specifies the subnet assigned to each VLAN and, specifically, the IP address of the VLAN’s default gateway. Although the figure, for simplicity, shows switches in the Management VLAN, these switches actually support all VLANs at the site. Throughout this module, remember that all of the VLANs at the site are extended through the switch infrastructure.

Table 6-1: Corporate LAN VLANs

VLAN purpose VLAN ID Default gateway (core routing

Management (infrastructure devices)

8 10.1.8.1/24

Users 16 10.1.16.1/23 Servers 24 10.1.24.1/24

HP USE

ONLY


6–4 Rev. 12.31

Questions You are deploying an MSM760 Access Controller in this infrastructure. The network administrators have assigned the controller an IP address in VLAN 8, 10.1.8.50/24. You will manage the controller on that IP address.

1. Unless you have a specific reason to choose a different design, where should you configure this IP address on the controller?

_______________________________________________________________________

2. Which MSM760 port do you connect to the switch?

_______________________________________________________________________

3. What untagged or tagged VLAN do you configure on the switch port?

_______________________________________________________________________

NOTES

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–5

Deploying MSM APs at a single site

Figure 6-3: Deploying MSM APs at a single site

Following best practices, the network administrators have created a new VLAN and subnet for the APs, VLAN 32 and 10.1.32.0/24. The APs connect to the switch ports that are untagged on VLAN 32 (you could also provision the APs to connect on tagged ports). Placing the APs on their own VLAN prevents someone from disconnecting the AP, connecting their own device, and receiving access on the switch management VLAN.

In this solution, the network DHCP server provides the IP addresses for the APs.

Table 6-2: Corporate LAN VLANs + AP VLAN

VLAN purpose VLAN ID Default gateway Management (infrastructure devices)

8 10.1.8.1/24

Users 16 10.1.16.1/23 Servers 24 10.1.24.1/24 APs 32 10.1.32.1/24

For now, with all APs in one VLAN at a single site, the administrators do not want to create a Layer 3 discovery solution for them.

Questions 1. The APs’ default gateway address is 10.1.32.1/24, and the gateway also provides

DHCP relay services. Should this address belong to the MSM Controller or the core routing switch?

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–6 Rev. 12.31

2. In an environment such as this, you could have APs discover the controller at Layer 2 or at Layer 3. Which solution would you choose?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

Answer the questions for a Layer 2 discovery strategy.

3. Do you need to create a network profile on the MSM Controller to meet the company’s requirements?

_______________________________________________________________________

If so, answer these questions:

a. What are the profile settings (name and VLAN ID)?

_______________________________________________________________________

b. Where do you assign the network profile (mapped to a controller port, assigned as an ingress VLAN in a VSC, assigned as an egress VLAN in a VSC, or assigned as an egress network in a VSC binding; indicate all that apply)?

_______________________________________________________________________

_______________________________________________________________________

c. Does the profile require an IP interface? If so, what are the requirements?

_______________________________________________________________________

4. Do you need to make any other changes on the controller to meet this requirement? If so, what are the changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–7

5. Do you need to change the VLAN assignments on the switch port assigned to the MSM Controller? If so, what are the changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

6. Do you need to make other changes to network services or the network infrastructure?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

Now assume that you have decided to use Layer 3 discovery instead of Layer 2 discovery. Assume that the controller has the Internet port network settings described earlier, but otherwise is using default settings. Answer the questions for a Layer 3 discovery strategy.

7. Do you need to create a network profile on the MSM Controller to meet the company’s requirements?

_______________________________________________________________________



_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–8 Rev. 12.31


_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

9. Do you need to change the VLAN assignments on the switch port assigned to the MSM Controller? If so, what are the changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

10. Do you need to make other changes to network services or the network infrastructure? If so, what are the changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–9

Deploying MSM APs at multiple sites

Figure 6-4: Deploying MSM APs at multiple sites

Now assume that the company has deployed MSM APs at several sites. The core routing switch supports the VLANs indicated in Table 6-2 and also knows routes to the networks at site 2.

The APs at site 2 require Layer 3 discovery, so the company has decided to implement this type of discovery for all APs. The APs can reside on their own dedicated VLAN at each site and discover the MSM760 at its management IP address, 10.1.8.50. The company has both a DNS server and a DHCP server that can inform the APs of the controller’s address. In this solution, the DHCP server does so.

The following figure provides a detailed look at the controller’s current ports and IP interfaces. As you can see, the controller’s untagged LAN port interface is using a default IP address of 192.168.1.1/24, but the physical LAN port is not connected. HP U

SE O

NLY


6–10 Rev. 12.31

Figure 6-5: Internal view of the IP interfaces on the MSM760 ports

You will now focus on configuring ports on the MSM765 zl.

HP USE

ONLY

VLANs

Rev. 12.31 6–11

Special considerations for deploying the MSM765 zl

Figure 6-6: Special considerations for deploying the MSM765 zl

The MSM765 zl Premium Mobility Controller is a module that resides inside an HP zl Series switch. You treat <slot>1 and <slot>2 like the switch ports that connect to controller’s Internet and LAN ports, respectively. However, rather than disable <slot>2 to mimic leaving the port unconnected, you should isolate the LAN port by placing <slot>2 in an unused VLAN.

NOTES

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–12 Rev. 12.31

Special considerations for deploying an MSM720

Figure 6-7: Special considerations for deploying an MSM720

The MSM720 ports are switch ports rather than router ports, so you can assign the same VLAN and IP interface to multiple physical ports. You can also group ports into link aggregation groups (called trunks), which operate in either static or LACP active mode.

These features give you additional flexibility in setting up VLANs on the MSM720 and connecting the device to the network.

The figure shows one example of a design:

The administrator assigns the controller’s management IP address, 10.1.8.50/24, to the Internet network profile and changes the profile’s VLAN ID to 8.

The administrator creates a new network profile for the APs VLAN and assigns the profile VLAN ID 32 and IP address 10.1.32.50/24.

The administrator places ports 1 and 2 in Trunk 1, a static link aggregation group, which connects to a switch that supports APs. (In the real world, several switches might support the APs.)

The administrator assigns the AP VLAN as the untagged VLAN on Trunk 1. This VLAN replaces the default untagged VLAN, Access network. Connecting the APs directly to the controller means that the core routing switches do not need to handle their traffic.

The administrator places ports 5 and 6 in Trunk 2, a static link aggregation group that connects to both core routing switches. The administrator is able to create a link aggregation for these redundant links to different physical chassis because the devices are part of an HP IRF group.

HP USE

ONLY

VLANs

Rev. 12.31 6–13

Note You could create a similar solution when the MSM720 connects to switches that do not support IRF. The switches would need to support a distributed trunking protocol.

Trunk 2 supports the Internet network as the untagged VLAN.

The AP switch connects to the core IRF group on both VLAN 8 and VLAN 32. This configuration enables the APs to reach the core routing switch and receive IP addresses through DHCP relay.

You need to take care not to introduce a loop in any VLAN so as to prevent broadcast storms from interfering with connectivity. In this example, the AP switch connects to the MSM720 and the core IRF group on VLAN 32. However, the MSM720 and core IRF group do not need to connect on this VLAN, and no loop is introduced.

Similarly, the MSM720 and two AP switches connect to the core IRF group on VLAN 8, but not to each other.

As you see, this design features high bandwidth and redundancy for both connections to APs and to the corporate LAN core. At this point, high bandwidth is not truly necessary, but, as you have learned, APs might tunnel client traffic on Trunk 1, and the controller might forward that traffic out Trunk 2.

Additional guidelines on link aggregation groups Follow these guidelines when creating a link aggregation groups:

A static link aggregation group supports up to two links. Use static mode when possible because this option provides greater flexibility. A static link aggregation group supports both tagged and untagged VLAN assignments. You can also select different VLAN assignments for different trunks.

Use an LACP link aggregation group when you require up to four standby links in addition to two active links. An LACP link aggregation group only supports untagged traffic in the default VLAN. By default, the Access network acts as the default VLAN, but you can change this setting so that any network profile is the default VLAN.

To prevent loops, disable the ports before you add them to a link aggregation group. Finish adding ports to the group and assigning VLANs to the group. Only then should you re-enable the ports.

HP USE

ONLY


6–14 Rev. 12.31

Discussion topics


You now will review how to assign clients to VLANs and ensure that the wired infrastructure can receive that traffic. The solution depends largely on whether clients connect to access-controlled or non-access-controlled VSCs. You will review non-access-controlled VSCs first, as this is the simpler scenario.

HP USE

ONLY

VLANs

Rev. 12.31 6–15

Forwarding non-access-controlled clients on a VLAN

Figure 6-9: Forwarding non-access-controlled clients on a VLAN

The company has a VSC for an employees’ WLAN that implements WPA/WPA2 and 802.1X authentication. The company wants all of these clients to receive IP addresses and forward their traffic in the same VLAN as employees with wired connections.

Questions 1. Do you need to create a network profile to meet this requirement?

_______________________________________________________________________



_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

HP USE

ONLY


6–16 Rev. 12.31


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3. Where does the clients’ traffic enter the corporate LAN wired infrastructure? Which switch ports require a change in VLAN assignment, and what is that change?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

4. In the figure on the previous page, trace the traffic flow between an authenticated wireless client and a server. The figure does not show all physical links and their VLAN assignments. Assume that the switch-to-switch links carry all VLANs.

HP USE

ONLY

VLANs

Rev. 12.31 6–17

Multiple VLANs for non-access-controlled clients: Location-based

Figure 6-10: Multiple VLANs for non-access-controlled clients: Location-based

An MSM solution can span multiple sites. Sometimes, the sites connect through a Layer 2 technology such as fiber-based Ethernet, a Layer 2 Multiple Protocol Label Switching (MPLS), or Virtual Private LAN Service (VPLS). In that case, you can plan the VLANs as for a single site.

Many sites, however, connect over routed links.

Sometimes a company uses the same VLAN IDs for the same purposes at every site even though the VLANs are associated with different subnets. For example, VLAN 16 at the main site is associated with 10.1.16.0/23, but VLAN 16 at site 2 is associated with 10.2.16.0/24. In this case, you can assign users to the same VLANs no matter where they connect.

Often, though, each site has its own set of VLANs, and the MSM APs must forward users’ traffic in the correct VLAN for the location. The figure illustrates a solution of this type.

Table 6-3: Corporate LAN VLANs at site 1

VLAN purpose VLAN ID Default gateway Management (infrastructure devices) 8 10.1.8.1/24

Users 16 10.1.16.1/23 Servers 24 10.1.24.1/24 APs 32 10.1.32.1/24

HP USE

ONLY


6–18 Rev. 12.31

Table 6-4: Corporate LAN VLANs at site 2


208 10.2.8.1/24

Users 216 10.2.16.1/24 APs 232 10.2.32.1/24

Question

How do you adjust the solution so that APs at the main site forward wireless users’ traffic on VLAN 16 but APs at site 2 forward wireless users’ traffic in VLAN 216?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–19

Multiple VLANs for non-access-controlled clients: User-based

Figure 6-11: Multiple VLANs for non-access-controlled clients: User-based

Now the company wants to divide users into different VLANs based on their identity.

Assume that the controller is acting as the RADIUS server. In “Module 4: Wireless Security,” you learned how to create local user accounts for authenticating users, and in “Module 5: Guest Solutions,” you learned how to apply account profiles to user accounts. Although non-access-controlled profiles support fewer settings than access-controlled ones, they allow you to set an egress VLAN.

The non-access-controlled user’s egress VLAN is a bit different from an access-controlled user’s egress VLAN. The non-access-controlled user’s egress VLAN is simply a dynamic RADIUS VLAN. It overrides the VLAN ID assigned in the VSC binding; the AP then forwards the user’s traffic with that VLAN ID. The AP can forward other users’ traffic with other IDs.

You can specify any VLAN ID in the account profile. The ID does not have to exist in a network profile on the MSM Controller. Of course, the VLAN should exist in the network infrastructure.

Based on these guidelines, plan a solution for a hospital with two user groups:

Billing staff = VLAN 18

Medical staff = VLAN 20

HP USE

ONLY


6–20 Rev. 12.31

Table 6-5: Corporate LAN VLANs, including multiple user VLANs


8 10.1.8.1/24

Billing staff 18 10.1.18.1/23 Medical staff 20 10.1.20.1/23 Servers 24 10.1.24.1/24 APs 32 10.1.32.1/24

Question

How do you adjust the solution to meet these requirements?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–21

Discussion topics


Next you will review how to establish subnets for access-controlled clients as well as how to control where the clients’ traffic is forwarded in the protected network.

HP USE

ONLY


6–22 Rev. 12.31

Goals for the review

Figure 6-13: Goals for the review

You will look at three types of access-controlled traffic so that you can practice creating solutions for each:

Wireless traffic that is tunneled to the controller

Wired traffic

Wireless traffic that is not tunneled to the controller

Typically, your solution would feature either tunneled or non-tunneled wireless traffic, depending on the needs of the environment. To either of those solutions, you could add wired traffic.

Therefore, you will first examine tunneling wireless guests’ traffic and assigning the guests to a subnet without VLANs. You will then review how you can use VLANNs to apply the solution to wired guests. From there, you will move on to solutions for egressing the guests’ traffic.

Only then will you review the alternative solutions, in which both wired and wireless users are placed on an unprotected VLAN.

HP USE

ONLY

VLANs

Rev. 12.31 6–23

Assigning guests to a subnet without VLANs

Figure 6-14: Assigning guests to a subnet without VLANs

The company is now adding a VSC for guests to the solution. The controller will handle the traffic as well as implement Web authentication (Web-Auth) to its own guest accounts. Guests are assigned to subnet 10.1.48.0/23, which does not exist anywhere else in the network. For now, assume that the MSM Controller will act as the DHCP server.

For a use case such as this, you can easily implement the solution without adding a VLAN for the guests.

Questions: Default VSC Explain how you can meet the requirements when you use the default VSC for the Guest WLAN.

1. Do you need to create a network profile to meet this requirement?

_______________________________________________________________________



_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–24 Rev. 12.31


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

2. Do you need to make any changes to the network infrastructure? If so, what are those changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3. What VSC settings do you establish? What VSC binding settings?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–25

4. Do you need to make any other changes to the controller configuration? If so, what are the changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

Questions: Other VSC Explain how you can meet the company’s requirements when you use another VSC for the Guest WLAN.


_______________________________________________________________________

If so, answer the following questions:


_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–26 Rev. 12.31


_______________________________________________________________________

2. Do you need to make any changes to the network infrastructure? If so, what are the changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3. What VSC settings do you establish? What VSC binding settings?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–27

Using VLANs to apply access control to wired clients

Figure 6-15: Using VLANs to apply access control to wired clients

Currently, all unused switch ports at the main site are assigned to VLAN 1, which does not provide network access. The company wants the controller to use its guest VSC to provide controlled network access and Web-Auth for any user who connects to one of these ports.

Questions: Default VSC Explain how you can meet the requirements when you use the default VSC for the Guest WLAN.


_______________________________________________________________________



_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–28 Rev. 12.31


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

2. Do you need to make any changes to the network infrastructure? If so, what are these changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3. What VSC settings do you need to change, if any? What VSC binding settings?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–29



_______________________________________________________________________



_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

2. Do you need to make any changes to the network infrastructure? If so, what are these changes?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–30 Rev. 12.31


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–31

Using VLANs to route authenticated guest traffic

Figure 6-16: Using VLANs to route authenticated guest traffic

The company now wants to route all authenticated guest traffic on VLAN 64, subnet 10.1.64.0/24, which connects directly to the Internet gateway.

The table shows the subnets associated with the VLANs shown in the figure. (The company might have more subnets, but they are not relevant to this solution.) Devices in the corporate LAN are the default gateways for all subnets except Guests. The controller routes guest traffic.


VLAN purpose VLAN ID Default gateway Guests 1 (or none) 10.1.48.1/23 Management (infrastructure devices)

8 10.1.8.1/24

Users 16 10.1.16.1/23 Servers 24 10.1.24.1/24 APs (main site) 32 10.1.32.1/24 Internet 64 10.1.64.1/24 APs (site 2) 232 10.2.32.1/24 Users (site 2) 216 10.2..16.1/24

Questions 1. Do you need to create a network profile to meet this requirement?

_______________________________________________________________________



_______________________________________________________________________

HP USE

ONLY


6–32 Rev. 12.31


_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

2. Do you need to make any changes to the network infrastructure? If so, what are they?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3. Do you need to make any other changes on the MSM Controller? If so, what are they?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–33

Assigning user-based VLANs for routing authenticated guest traffic

Figure 6-17: Assigning user-based VLANs for routing authenticated guest traffic

Next assume that a hospital wants to route different guests’ traffic out different VLANs. The MSM Controller routes normal visitors’ traffic directly to the Internet router on VLAN 64. Visiting students, however, are allowed access to a bank of resources; a gateway in VLAN 72 handles their traffic and applies the correct access controls.


VLAN purpose VLAN ID Default gateway Guests 1 (or none) 10.1.48.1/23 Management (infrastructure devices)

8 10.1.8.1/24

Users 16 10.1.16.1/23 Servers 24 10.1.24.1/24 APs 32 10.1.32.1/24 Internet 64 10.1.64.1/24 Student LAN 72 10.1.72.1/24

Questions Adjust the solution that you have established up to this point to meet these requirements.


_______________________________________________________________________

HP USE

ONLY


6–34 Rev. 12.31



_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3. Do you need to make any other changes on the MSM Controller? If so, what are they?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–35

Review traffic flow

Figure 6-18: Review traffic flow

What is the traffic flow for various guest users? At each step, indicate whether the device tunnels the traffic, forwards the traffic toward its destination at Layer 2, or routes the traffic.

Questions For these questions, assume that users have authenticated.

1. How is traffic for a wireless visitor at the main site forwarded?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–36 Rev. 12.31

2. How is traffic for a student visitor at site 2 forwarded?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3. How is traffic forwarded for a visitor with an Ethernet connection to VLAN 1 at the main site?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–37

Alternatives: Using VLANs to implement access control for wireless clients

Figure 6-19: Alternatives: Using VLANs to implement access control for wireless clients

VLAN 1 establishes an unprotected network in which users can reach any resources deployed there. Now consider a situation in which the company wants to place unauthenticated wireless guests in this VLAN as well. This solution works only for guests connected to APs that can obtain a Layer 2 connection to the controller (whether the APs are deployed at the same site or whether a remote site has a Layer 2 connection to the main site).

Questions: Adjusting the AP discovery For this solution, you need to adjust how the controller discovers and manages APs at the main site. Explain what you must do.

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–38 Rev. 12.31

Questions: Default VSC Explain how you can meet the company’s requirements when you use the default VSC for the Guest WLAN.

1. Do you need to create a network profile?

_______________________________________________________________________



_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–39

4. How is the traffic flow for a wireless visitor connected at the main site different from the traffic flow described on the previous slide? (Again, assume that the user is authenticated.)

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


1. Do you need to create a network profile?

_______________________________________________________________________



_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

HP USE

ONLY


6–40 Rev. 12.31

2. Do you need to make any changes to the network infrastructure?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________


_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

4. How is the traffic flow for a wireless visitor connected at the main site different from the traffic flow described on the previous slide? (Again, assume that the user is authenticated.)

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–41

Alternatives: Implementing a similar solution on an MSM720

Figure 6-20: Alternatives: Implementing a similar solution on an MSM720

The figure displays a solution similar to the one that you planned earlier in the module. In this solution, however, the main site APs discover the controller at Layer 2, all of the their management traffic flowing directly to the MSM controller. Other APs discover the controller at Layer 3 on its Internet network IP address.

The APs are already configured to forward employees’ traffic in VLAN 16 at the main site and VLAN 216 at site 2 (that is, the network profiles for these VLANs are specified in the appropriate AP group VSC bindings). The figure on the next page shows the set up in more detail.

You must now plan how to set up a guest solution that allows visitors to connect wirelessly at the main site, wirelessly at site 2, and with Ethernet connections at the main site (unused ports are in VLAN 1). The controller will provide IP addresses to the guests, allow the guests to log in through its internal login pages, and prevent the guests from reaching any network resources until they log in. After the guests log in, they should be able to access the Internet only.

You must plan how to implement this solution.

Note Although the figure on the next page shows the MSM720 ports connected, you would assign the correct VLANs to the ports before connecting them.

HP USE

ONLY


6–42 Rev. 12.31

Table 6-8: Corporate LAN VLANs, including guest VLAN/subnet

VLAN purpose VLAN ID Default gateway Guests 1 (or none) 10.1.48.1/23 Management (infrastructure devices) 8 10.1.8.1/24

Users 16 10.1.16.1/23 Servers 24 10.1.24.1/24 APs 32 10.1.32.1/24 Internet 64 10.1.64.1/24 APs (site 2) 232 10.2.32.1/24 Users (site 2) 216 10.2..16.1/24

Figure 6-21: MSM720 deployment

Questions 1. Will you use the default VSC or a different VSC for the guest VSC?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–43

2. Make a plan for creating network profiles, if necessary. Also plan how to assign profiles (new and existing) to the MSM720 trunks (link aggregation groups).

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

3. Do you need to create any new IP interfaces? If so, what are the appropriate settings? Do you need to adjust IP settings for existing IP interfaces? If so, how?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

4. What VSC settings will you establish? What VSC binding settings?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–44 Rev. 12.31

5. What additional MSM settings do you need to configure to ensure that guests receive IP addresses and that the controller can receive and forward their traffic? (You might configure additional settings for the guest solution, in general, but you do not need to list those.)

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

6. What changes do you need to make to the switch port VLAN assignments?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–45

Lab Activity 6.1

Figure 6-22: Lab Activity 6.1

In Lab Activity 6.1, you will assign user-based VLANs to employees and also an egress VLAN to authenticated guests. You will explore the differences in the solutions.

HP USE

ONLY


6–46 Rev. 12.31

Lab Activity 6.1 debrief Use the space below to record your key insights and challenges from Lab Activity 6.1.

Table 6-9: Debrief for Lab Activity 6.1 Challenges Key Insights

Use the space below to record your thoughts about various deployment strategies that you explored during Lab Activity 6.1.

NOTES

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY

VLANs

Rev. 12.31 6–47

Discussion topics


Until now you have learned how to implement access-controlled solutions in which the MSM Controller acts as the DHCP server. Some enterprises, however, prefer to handle all IP assignments from their network DHCP servers. To meet this need, you configure DHCP relay.

HP USE

ONLY


6–48 Rev. 12.31

Using DHCP relay for access-controlled clients

Figure 6-24: Using DHCP relay for access-controlled clients

To configure DHCP relay for access-controlled clients, you must enable DHCP relay globally from the Controller >> Network > Address allocation window. Select the option and click Configure. From that window, you configure the settings for DHCP as implemented on the untagged LAN port (or Access network) interface and the default VSC. You also choose whether to relay DHCP requests received on the untagged LAN port (or Access network), on client data tunnels to access-controlled VSCs, or both.

When the controller relays a request, it includes its relay IP address:

For requests received on the untagged LAN port (or Access network), this is the controller’s IP address on that interface. This IP address is also the relay address for requests received on the default VSC.

For requests received on other access-controlled VSCs, you specify an IP address and subnet mask.

The controller creates a virtual IP interface for this IP address (just as it does for the gateway address for VSC DHCP server settings). Therefore, the same guidelines apply. The subnet must be unique (not defined on any other IP interface).

The DHCP server scope for the subnet must specify the controller’s relay address for the default gateway and for the DNS server IP address as well.

Note You can specify external DNS servers, but this solution requires additional setup: An access list rule permits unauthenticated guests to send DNS requests to the server. The server resolves the controller’s HTML authentication certificate subject name to the

controller’s untagged LAN port (or Access network) IP address. (When you use the controller as the DNS server, that is not required.)

Just as when you use the DHCP server, the guest subnet generally does not exist in the wired infrastructure—although the DHCP server does have a scope for it.

HP USE

ONLY

VLANs

Rev. 12.31 6–49

You learned two methods for routing traffic back to this virtual subnet in “Module 5: Guest Solutions.” You can implement NAT on the IP interfaces that forward traffic from the VSCs, or you can create routes in the wired infrastructure. When you use DHCP relay, you should use the route option. This is because the server sends the DHCP replies back to the relay IP address, which needs to be in the actual guest subnet.

Create the route on the server’s default gateway. On the controller, disable NAT on any IP interface that will forward guest traffic.

HP USE

ONLY


6–50 Rev. 12.31

Resolving potential issues with the firewall

Figure 6-25: Resolving potential issues with the firewall

Sometimes a DHCP server sends pings to clients to determine whether it can assign a leased IP address to another client. You might need to adjust the controller’s firewall, which is enabled by default, to allow these pings to reach access-controlled clients. Note that this firewall is different from the access lists, which apply to access-controlled clients before their traffic is routed out an interface. The firewall applies to traffic as it is routed out or in an IP interface.

When necessary, follow this process to adjust:

1. Navigate to Controller >> Security > Firewall.

2. Select Custom Firewall and click Edit.

3. You might want to use the same rules enforced at the High setting as a baseline. These rules allow any outbound traffic from clients (that access lists have already allowed) except NetBIOS traffic. It drops inbound ICMP traffic and inbound traffic for new or invalid sessions. The table illustrates those in more detail.

To quickly duplicate these rules, make sure that the Reset to list displays High. Then click Reset to.

4. You can then add your own rules by clicking Add New Rule.

These rules include these components:

Source IP address and mask (or Any)

Destination IP address and mask (or Any)

Direction (incoming from the protected network or outgoing from access-controlled clients)

Action (accept or deny)

Services (select the predefined service to permit or deny certain types of traffic)

Stateful settings (allows you to define different actions based on, for example, whether traffic is part of an existing or new session)

To create rules for allowing the necessary pings and ping replies, follow these steps:

HP USE

ONLY

VLANs

Rev. 12.31 6–51

a. When you clicked Add New Rule, a new window is displayed.

b. For Source, type the DHCP server’s IP address.

c. For Source mask, type 255.255.255.255.

d. For Destination, leave ANY, or type the subnet address for the guests. If you choose the second option, type the guest subnet mask in the Destination Mask field.

e. For Direction, select Input.

f. For Action, select Accept.

g. For Services, from the Presets list, select ICMP Echo.

h. Click Add.

i. Click Add New Rule to allow replies from the guest clients.

j. For Source, leave ANY, or type the subnet address for the guests. If you choose the second option, type the guest subnet mask in the Source Mask field.

k. For Destination, type the DHCP server’s IP address.

l. For Destination mask, type 255.255.255.255.

m. For Direction, select Output.

n. For Action, select Accept.

o. For Services, from the Presets list, select ICMP Echo Reply.

p. Click Add.

5. You can also create other rules. When you have finished, click Save.

Table 6-10: Rules for the Firewall at the preset High level Source Destination Service Protocol Direction Action Stateful ANY ANY Type: 5 –

Redirect, code: 0-255

ICMP In Drop

ANY ANY ANY In Drop Invalid, New ANY ANY NetBIOS TCP TCP Out Drop ANY ANY NetBIOS UDP UDP Out Drop

HP USE

ONLY


6–52 Rev. 12.31

Extending the egress VLAN to access-controlled clients

Figure 6-26: Extending the egress VLAN to access-controlled clients

In all the options that you have examined, access-controlled clients have IP addresses in one subnet and the controller routes their traffic out another. As you have learned, an egress VLAN limits the forwarding interface but does not affect the subnet on which the client receives its IP address. You can, however, adjust an access-controlled solution so that the egress VLAN in the VSC functions more like an egress VLAN for non-access-controlled clients. That is, clients receive IP addresses in that VLAN—although the controller still routes their traffic before the traffic reaches the egress VLAN’s default gateway. Follow these guidelines:

Apply the egress VLAN to unauthenticated clients in the VSC (as well as to authenticated clients).

In the global DHCP relay settings, select the check box for extending the ingress interface to the egress interface.

In the VSC DHCP relay settings, select the Extend to egress interface option. You can no longer specify the IP address and subnet mask. You also cannot specify the DHCP server in the relay settings. The MSM Controller simply forwards the request on the egress VLAN IP interface. If the DHCP server does not reside on that VLAN, the VLAN’s default gateway in the network infrastructure must implement DHCP relay.

Disable NAT on the egress VLAN IP interface.

Because the egress VLAN already exists in the wired infrastructure, you do not need to create a route for it.

HP USE

ONLY

VLANs

Rev. 12.31 6–53

Follow the same guidelines indicated on the previous page for the DHCP pool. Set the MSM Controller’s IP address for the default gateway and DNS server.

This figure below illustrates how the controller applies the DHCP settings for this solution. You can compare this figure to Figure 6-24. As you see, in this solution, the controller is the default gateway for clients in their subnet, but another routing device in the VLAN acts as the controller’s default gateway. This device also implements DHCP relay to the server.

Figure 6-27: DHCP communications when you extend the egress VLAN to access-controlled clients

HP USE

ONLY


6–54 Rev. 12.31

Lab Activity 6.2

Figure 6-28: Lab Activity 6.2

You will next implement DHCP relay for access-controlled clients.

Consult your Lab Guide for instructions for performing this activity.

HP USE

ONLY

VLANs

Rev. 12.31 6–55

Lab Activity 6.2 debrief Use the space below to record your key insights and challenges from Lab Activity 6.2.

Table 6-11: Debrief for Lab Activity 6.2 Challenges Key Insights

Use the space below to record your thoughts about various deployment strategies that you explored during Lab Activity 6.2.

NOTES

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–56 Rev. 12.31

Summary

Figure 6-29: Summary

In this module, you have put together everything that you have learned so far about planning VLANs and networks for your MSM solution:

VLANs for managing the MSM Controller and APs

VLANs for non-access-controlled clients

Networks and VLANs for access-controlled clients

You also learned how to relay access-controlled, or guest, clients’ DHCP requests to a network DHCP server. As part of this discussion, you learned how to extend DHCP relay onto an access-controlled VSC’s egress VLAN. In this way, you can assign access-controlled clients IP addresses in the same VLAN in which their authenticated traffic is eventually routed.

HP USE

ONLY

VLANs

Rev. 12.31 6–57

Learning check Answer the following questions:

1. An MSM Controller acts as the RADIUS server for an employee VSC (using 802.1X) and a guest VSC (using Web-Auth). It has non-access-controlled account profiles for the employees and access-controlled-profiles for the guests. Both types of profiles assign egress VLANs. What are some differences between the VLANs?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

2. You have set up DHCP relay on an access-controlled VSC. You specified 10.1.40.1 as the subnet address and 255.255.255.0 as the mask. What settings should the DHCP scope on the external DHCP server include?

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

HP USE

ONLY


6–58 Rev. 12.31

PAGE INTENTIONALLY LEFT BLANK

HP USE

ONLY

ONLY USE HP - niche-associates.com€¦ · subnet assigned to each VLAN and, specifically, the IP address of the VLAN’s default gateway. Although the figure, for simplicity, shows

Documents