Getting MSM765zl in HP5412zl working for a guest SSID, secure guest SSID, and secure SSID

Posted on 2012-04-10
Last Modified: 2012-06-27
GOAL:  To create (3) SSIDs as follows-
1) a guest VSC that will strictly give it access to the internet out of our default gateway (on a separate subnet preferably),
2) a secure guest VSC for employee's smartphones & non-AD based devices that will give them access to internal services and internet, but not require AD authentication (on a separate subnet preferably), and
3) a secure VSC that will allow devices that can authenticate to AD to have all the same functionality as wired devices (along with connecting on the same subnet as the wired devices)

Our configuration consists of
-a HP5412zl switch ( w/a MSM765zl module ( installed in Slot J (attached to the switch are 2 MSM460s and 1 MSM317).  This switch is the core switch for our main user subnet (  DEFAULT GATEWAY  Routing is enabled
-The MSM765zl is setup and operational, albeit with one subnet connecting through the LAN port and the INTERNET port set for just VLAN, i.e. not in use.  
-(4) subnets managed by a Cisco ASA5550.  
----One port is the main user subnet that houses all Windows servers, workstations, and user devices (
----One port hosts our management interface (
----One port hosts our voice services (
----One port connects to our DS3 internet connection
----The VPN virtual subnet on the ASA is (
-Currently, there are no VLAN configurations in place
-There is one 2008 R2 AD forest controlled by (2) virtual servers connected to the subnet through the HP5412zl switch.
-Primary DNS and DHCP are hosted on one of the DCs -

We are looking for a configuration that can work within this configuration, using the DHCP server on (and the MSM765 DHCP server for the guest, if needed).  

We tried using both ports on the MSM765 to enable the multiple subnets with no success.  Trying to get the additional subnet to route properly, and to hand out its subnet's addresses (from a separate scope setup on the AD DHCP Server) also ended with no success.   Scouring through the HP examples have only got us throwing our hands up higher.  

Our current MSM & 5412 configs are attached.

Any assistance is appreciated.
Question by:mrsimonsez
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 18

Expert Comment

by:Don S.
ID: 37830246
You should probably be using only the internet port.  Trying to use both ports will make for confusion and using the LAN port only will not allow you to use the guest services web page to allow geusts to access their SSID.  You will need to setup the non-authenticating internal users with WPA-PSK and enter the key into each device.  the internal users can be setup to use certificates and a radius server to authenticate back to the MSM.  You will set the egress Vlan on both the authenticated and non-authenticated VSCs to be your internal LAN VLAN.  Other than authentication, traffic will flow directly from the access points to the VLAN.  As for guest access, that will flow through the MSM for both authentication and traffic.  You do this by checking the the always use client tunnel box in the guest VSC.  Work on getting the authenticated and non-authenticated VSCs working correctly first.  then work on the guest VSC.

Author Comment

ID: 37834183
Thank you Dons6718.  We did attempt the Internet Port first, simulating it as a standalone wireless router.  However, that did not work, preventing any devices from getting beyond the controller.   And, the DHCP from the AD controller did not hand out from the correct scope of the different subnet.  

We have 2 challenges with this route -
1) These ports are essentially virtual, as this is a module within the 5412zl switch.
2) The goal of setting up a separate subnet in an environment that mimicks a standalone wireless router, does not take into factor that there is an internal hop ( that guest access users should not have access to.  These users, however, would share the same default gateway of (I guess we could try to attach multiple IP addresses to that A1 port on the HP switch that connects to the internet gateway on the ASA router.  

P.S. I did fail to mention that we do have a Palo Alto 2020 Content monitor in-line between the A1 port on the HP5412zl switch and the ASA5550 firewall router.

Thanks again.

Expert Comment

ID: 37841299
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 18

Expert Comment

by:Don S.
ID: 37846430
You don't really use the msm as a router. You just use it to decide which vlan to send the traffic to.  That means you should have a guest wired vlan setup already that has all the needed dhcp, dns, and routing.  Test the wired version first and get it wotking right, then setup the msm to authenticate your guests and push them on to you wired guest vlan.  I've found routing and dhcp services in the msm to be a real pain.

Author Comment

ID: 37906611
Apologies for not getting back sooner, as I do appreciate your responses.   So, to confirm, your recommendation is to configure a guest wired VLAN on the HP 5412zl, that will point its DHCP requests to the AD server, asking for the VLAN specific subnet?   Then, on the guest wireless VSC, we would configure its egress to this VLAN instead of normal?

This would mean that we leave the Internet port on the MSM765 as none/use for VLAN,  and for the VSC, we tell it to use the DHCP relay service?

At the same time, I gather that we would leave routing on the HP5412zl enabled, setup the guest VLAN with an IP address assigned to it for the that VLAN's subnet, and set the default gateway to point to our edge device.  Would that default gateway for that VLAN be the, or would I need to assign an additional IP address to one of the ports on the 5412 to act as the exit point for the guest VLAN?

Thanks again.
LVL 18

Expert Comment

by:Don S.
ID: 37907950
Actually, you wouldn't want to route anything in switch or MSM, you'd leave the routing to your edge router.  Your edge router would need to know about both your internal VLAN and the Guest VLAN.  You could server DHCP either from the wired Guest VLAN or the MSM.  Setting up DHCP on the MSM without having it server DHCP to all Vlans is a bit tricky - which is why I decided not to do it that way.

Author Comment

ID: 37909260
So, you have NO ROUTING set on your HP5412zl?

Do you have an example of how you setup the VLAN configuration perchance?

Thanks again.
LVL 18

Expert Comment

by:Don S.
ID: 37910640
I look at Vlans as the way to segregate traffic and routers as the way to direct traffic.  Usually the reason to segregate traffic is for security or class of service reasons so doing unilateral routing pretty much defeats my primary purposes for vlans in the frist place.  I find that true routers are easier to configure to achieve my purposes of only allowing certain traffic between Vlans.  The guest network is the perfect example of not allowing any traffic on to your internal lan(s) and only allowing it access out to the Internet.  You could use the MSM to do routing or the Switch with ACLs configured if you would like, I just find it easier to concentrate the routing on either a main router or the edge router (assuming the edge router/firewall can handle multiple Vlans).

Are you asking about setting the Vlans on the switch?

Author Comment

ID: 37912454
That makes great sense, and your logic of pushing the actual routing processes to the edge sounds right up my alley!   So, yes, would you perchance have a sample of the config to handle the VLAN configuration on the HP Switch & the MSM module?

Thanks again.  I think the light is turning on now.
LVL 18

Accepted Solution

Don S. earned 500 total points
ID: 37913011
pretty simple really.  You just define the vlans in the switch, set each port to untagged on the vlan the computer connected to needs to be on.  Then, any ports that connect to other switches would be set to tagged for all vlans as well as the remote switch connecting port set to tagged for all vlans.  The edge router/firewall would connect to a port that has all vlans tagged as well.  The MSM would have each vlan defined with the appropriate vlan number, then you create a VSC for each vlan and bind the VSC to the corresponding egress Vlan.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question