Getting MSM765zl in HP5412zl working for a guest SSID, secure guest SSID, and secure SSID

GOAL:  To create (3) SSIDs as follows-
1) a guest VSC that will strictly give it access to the internet out of our default gateway (on a separate subnet preferably),
2) a secure guest VSC for employee's smartphones & non-AD based devices that will give them access to internal services and internet, but not require AD authentication (on a separate subnet preferably), and
3) a secure VSC that will allow devices that can authenticate to AD to have all the same functionality as wired devices (along with connecting on the same subnet as the wired devices)

Our configuration consists of
-a HP5412zl switch ( w/a MSM765zl module ( installed in Slot J (attached to the switch are 2 MSM460s and 1 MSM317).  This switch is the core switch for our main user subnet (  DEFAULT GATEWAY  Routing is enabled
-The MSM765zl is setup and operational, albeit with one subnet connecting through the LAN port and the INTERNET port set for just VLAN, i.e. not in use.  
-(4) subnets managed by a Cisco ASA5550.  
----One port is the main user subnet that houses all Windows servers, workstations, and user devices (
----One port hosts our management interface (
----One port hosts our voice services (
----One port connects to our DS3 internet connection
----The VPN virtual subnet on the ASA is (
-Currently, there are no VLAN configurations in place
-There is one 2008 R2 AD forest controlled by (2) virtual servers connected to the subnet through the HP5412zl switch.
-Primary DNS and DHCP are hosted on one of the DCs -

We are looking for a configuration that can work within this configuration, using the DHCP server on (and the MSM765 DHCP server for the guest, if needed).  

We tried using both ports on the MSM765 to enable the multiple subnets with no success.  Trying to get the additional subnet to route properly, and to hand out its subnet's addresses (from a separate scope setup on the AD DHCP Server) also ended with no success.   Scouring through the HP examples have only got us throwing our hands up higher.  

Our current MSM & 5412 configs are attached.

Any assistance is appreciated.
mrsimonsezVP, ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don S.Commented:
You should probably be using only the internet port.  Trying to use both ports will make for confusion and using the LAN port only will not allow you to use the guest services web page to allow geusts to access their SSID.  You will need to setup the non-authenticating internal users with WPA-PSK and enter the key into each device.  the internal users can be setup to use certificates and a radius server to authenticate back to the MSM.  You will set the egress Vlan on both the authenticated and non-authenticated VSCs to be your internal LAN VLAN.  Other than authentication, traffic will flow directly from the access points to the VLAN.  As for guest access, that will flow through the MSM for both authentication and traffic.  You do this by checking the the always use client tunnel box in the guest VSC.  Work on getting the authenticated and non-authenticated VSCs working correctly first.  then work on the guest VSC.
mrsimonsezVP, ITAuthor Commented:
Thank you Dons6718.  We did attempt the Internet Port first, simulating it as a standalone wireless router.  However, that did not work, preventing any devices from getting beyond the controller.   And, the DHCP from the AD controller did not hand out from the correct scope of the different subnet.  

We have 2 challenges with this route -
1) These ports are essentially virtual, as this is a module within the 5412zl switch.
2) The goal of setting up a separate subnet in an environment that mimicks a standalone wireless router, does not take into factor that there is an internal hop ( that guest access users should not have access to.  These users, however, would share the same default gateway of (I guess we could try to attach multiple IP addresses to that A1 port on the HP switch that connects to the internet gateway on the ASA router.  

P.S. I did fail to mention that we do have a Palo Alto 2020 Content monitor in-line between the A1 port on the HP5412zl switch and the ASA5550 firewall router.

Thanks again.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Don S.Commented:
You don't really use the msm as a router. You just use it to decide which vlan to send the traffic to.  That means you should have a guest wired vlan setup already that has all the needed dhcp, dns, and routing.  Test the wired version first and get it wotking right, then setup the msm to authenticate your guests and push them on to you wired guest vlan.  I've found routing and dhcp services in the msm to be a real pain.
mrsimonsezVP, ITAuthor Commented:
Apologies for not getting back sooner, as I do appreciate your responses.   So, to confirm, your recommendation is to configure a guest wired VLAN on the HP 5412zl, that will point its DHCP requests to the AD server, asking for the VLAN specific subnet?   Then, on the guest wireless VSC, we would configure its egress to this VLAN instead of normal?

This would mean that we leave the Internet port on the MSM765 as none/use for VLAN,  and for the VSC, we tell it to use the DHCP relay service?

At the same time, I gather that we would leave routing on the HP5412zl enabled, setup the guest VLAN with an IP address assigned to it for the that VLAN's subnet, and set the default gateway to point to our edge device.  Would that default gateway for that VLAN be the, or would I need to assign an additional IP address to one of the ports on the 5412 to act as the exit point for the guest VLAN?

Thanks again.
Don S.Commented:
Actually, you wouldn't want to route anything in switch or MSM, you'd leave the routing to your edge router.  Your edge router would need to know about both your internal VLAN and the Guest VLAN.  You could server DHCP either from the wired Guest VLAN or the MSM.  Setting up DHCP on the MSM without having it server DHCP to all Vlans is a bit tricky - which is why I decided not to do it that way.
mrsimonsezVP, ITAuthor Commented:
So, you have NO ROUTING set on your HP5412zl?

Do you have an example of how you setup the VLAN configuration perchance?

Thanks again.
Don S.Commented:
I look at Vlans as the way to segregate traffic and routers as the way to direct traffic.  Usually the reason to segregate traffic is for security or class of service reasons so doing unilateral routing pretty much defeats my primary purposes for vlans in the frist place.  I find that true routers are easier to configure to achieve my purposes of only allowing certain traffic between Vlans.  The guest network is the perfect example of not allowing any traffic on to your internal lan(s) and only allowing it access out to the Internet.  You could use the MSM to do routing or the Switch with ACLs configured if you would like, I just find it easier to concentrate the routing on either a main router or the edge router (assuming the edge router/firewall can handle multiple Vlans).

Are you asking about setting the Vlans on the switch?
mrsimonsezVP, ITAuthor Commented:
That makes great sense, and your logic of pushing the actual routing processes to the edge sounds right up my alley!   So, yes, would you perchance have a sample of the config to handle the VLAN configuration on the HP Switch & the MSM module?

Thanks again.  I think the light is turning on now.
Don S.Commented:
pretty simple really.  You just define the vlans in the switch, set each port to untagged on the vlan the computer connected to needs to be on.  Then, any ports that connect to other switches would be set to tagged for all vlans as well as the remote switch connecting port set to tagged for all vlans.  The edge router/firewall would connect to a port that has all vlans tagged as well.  The MSM would have each vlan defined with the appropriate vlan number, then you create a VSC for each vlan and bind the VSC to the corresponding egress Vlan.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.