configuration guide for vlan - cos5.3
DESCRIPTION
VLAN configuration Guide by HPTRANSCRIPT
1 Colubris Networks – ©2007
Configuration & DeploymentVLAN Lab
Colubris Intelligent Multiservice SystemCore Products & Management Solutions
Operation and Configuration
2 Colubris Networks – ©2007
Lab Exercises
• Lab #4 – 3.5 hoursAdvanced enterprise deployment scenario (VLANs)
Secure corporate data access using WPA2-PSK on VLAN 10 VoWiFi using WEP on VLAN 20 Guest access using captive portal (login page) Guest users must be on a separate IP range and subnet from
staff Guest users must obtain 24-hour account to login via web page Guest users cannot access corporate network resources Guest users can only access Internet
Objective: demonstrate the ability to: Configure and deploy a VLAN-based enterprise WLAN with
guest access over an existing network
3 Colubris Networks – ©2007
Lab #4 Network
Router
To Internet
MSC5000 series controller
MAP300 seriesAccess Point
(controlled mode)
Port 1192.168.2.b
Internet Port192.168.2.a
LAN Port192.168.1.1
(unconnected)
DHCP server on192.168.1.x
DHCP server onLAN: 192.168.2.254
192.168.2.0/24 (Native VLAN = 1)
SSID11. SSID: “corp_1”2. WPA-PSK: 123456783. No access control4. VLAN10
SSID21. SSID: “voice_1”2. WEP: 123453. No access control4. VLAN20
IP: 192.168.10.xGW: 192.168.10.1
IP: 192.168.10.xGW: 192.168.10.1
Management traffic 1(UT)
VMT
SSID31. SSID: “guest_1”2. No encryption3. Access controlled4. No VLAN (L2GRE)
IP: 192.168.1.xGW: 192.168.1.1
10(T)20(T)
L2GRE tunnel for centralized access controlled traffic 1(UT)
1(UT)1(UT)
1(UT)
PC on VLAN10
PC on VLAN20
10(UT)20(UT)
4 Colubris Networks – ©2007
Lab #4 Switch Configuration
VLAN Switch
1 2 3 4 5 6 7 8
1U 1U 1U 1U 10U 10U 20U 20U
To
rout
er d
owns
trea
m
To
MS
C In
tern
et p
ort
To
VM
T P
C
To
MA
P32
0 P
ort 1
10T20T
To
VLA
N 1
0 ne
twor
k
To
VLA
N 1
0 ne
twor
k
To
VLA
N 2
0 ne
twor
k
To
VLA
N 2
0 ne
twor
k
Port Native VLAN
Member VLANs
Type Connect to
1 1U - Router
2 1U - MSC Internet
3 1U - VMT PC
4 1U 10T,20T Trunk,dot1q MAP320
5 10U - VLAN10
6 10U - VLAN10 test
7 20U - VLAN20
8 20U - VLAN20 test
5 Colubris Networks – ©2007
Configuration Procedure
• Initial stepsConfigure VLAN switch according to Slide #4Getting the MSC up
Factory reset MSC Connect laptop to MSC LAN port Set laptop to static IP 192.168.1.2 Open browser to http://192.168.1.1 Login to MSC using “admin”, “admin” Set Country to Canada
• Setup networkConfigure the MSC Internet port
MSC > Service Controller > Network > Ports > Internet PortConfigure DNS
MSC > Service Controller > Network > DNSConfigure default gateway
MSC > Service Controller > Network > IP Routes
6 Colubris Networks – ©2007
Configuration Procedure
• Setup DHCP server on MSCConfigure DHCP server
MSC > Service Controller > Network > Address Allocation > DHCP Server
• Setup Device Discovery, SNMPEnable device discovery on Internet port
MSC > Service Controller > Management > Device Discovery > Check Internet port
Enable SNMP on Internet port MSC > Service Controller > Management > SNMP > Check Internet port
7 Colubris Networks – ©2007
Configuration Procedure
• Setup VSCs (SSID profiles)Configure guest access SSID
MSC > VSC > VSC Profile• Profile name and SSID set to guest_1• Check Authentication and Access Control• Check HTML-based user login• Check Authentication > Local (since we will be using the MSC’s local user
accounts)• Check Client Tunnel Data > Always tunnel client traffic
Configure corporate SSID MSC > VSC > Add New VSC Profile
• Profile name and SSID set to corp_1• Uncheck Authentication and Access Control• Enable Wireless Protection > WPA-TKIP, Preshared key and use: 12345678• Uncheck Wireless Security Filter
8 Colubris Networks – ©2007
Configuration Procedure
• Setup VSCs (SSID profiles)Configure voice SSID
MSC > VSC > Add New VSC Profile• Profile name and SSID set to voice_1• Uncheck Authentication and Access Control• Enable Wireless Protection > WEP, and use: 12345 (ASCII)• Uncheck Wireless Security Filter
9 Colubris Networks – ©2007
Configuration Procedure
• Bind VSC to the groupBind corp_1 VSC
Select Default Group (where the APs are) Click VSC Bindings > Add New Bindings Select corp_1 VSC from dropdown Check Egress VLAN and enter 10
Bind voice_1 VSC Select Default Group (where the APs are) Click VSC Bindings > Add New Bindings Select voice_1 VSC from dropdown Check Egress VLAN and enter 20
There should be a total of 3 VSC bindings
• Create access list to prevent guest users from access corporate networkConfigure access list
MSC > Public Access > Attributes > Add New Attribute…. Select “ACCESS-LIST” and enter: colubris,DENY,all,192.168.2.0/24,all Select “USE-ACCESS-LIST” and enter: colubris
10 Colubris Networks – ©2007
Configuration Procedure
• Enable zero-configuration features for guest accessSupport any static IP
MSC > Public Access > Access Control > Zero Configuration > Support users that have a static IP Address
MSC > Public Access > Access Control > Zero Configuration > Support applications that use: HTTP proxy
Change MSC’s HTTP port Because most ISP’s HTTP proxy uses port 8080, this will conflict with
the MSC’s default unsecured authentication port, so this port needs to be changed if you wish to support clients that use HTTP proxy server
MSC > Public Access > Web Server > Ports > HTTP > Change the default port 8080 to 58080 (something not commonly use by ISP)
11 Colubris Networks – ©2007
Configuration Procedure
• Create guest account(s)Create subscription plan for 24-hour use
MSC > Service Controller > Users > Subscription plans > Add new plan Enter plan name: 24-hour voucher Check Online time and select 24 hours Check validity period and check For 24 hours after first login
Create local guest account MSC > Service Controller > Users > User Accounts > Add New Account Enter username: demo, password: procurve Under Validity, select Subscription plan and select the subscription plan
created above Check VSC usage and select the guest SSID and click on left arrow
12 Colubris Networks – ©2007
Configuration Procedure
• Connect the MAP to the networkMAP boot sequence
Power cycle (power LED blink slowly) DHCP requests (power LED blink slightly faster) MSC discovery (3 LEDs light up in running sequence 1-2-3)
• This uses UDP broadcasts by default
MAP establish secure management tunnel to MSC (power LED stays on, the other two LEDs blink alternately 1-2-1-2)
• Firmware downloads and configuration downloads happen at this stage
MAP is fully connected and configuration downloaded and ready to offer wireless services (power LED stays on, the other two LEDs are off unless there is traffic on the LAN or wireless)
The WLAN service is up and running
13 Colubris Networks – ©2007
User Acceptance Tests
• Test case #1 – Corporate data accessConfigure laptop wireless interface with a static IP: 192.168.10.100, 255.255.255.0Disable laptop firewallConnect another computer to port 5 using CAT5. Configure this computer with a static IP: 192.168.10.200, 255.255.255.0 Disable computer firewallLaptop associated with “corp_1” SSID Laptop can ping to 192.168.10.200Therefore, laptop is now on VLAN10Now connect computer (192.168.10.200) to port 7 (VLAN20)Laptop is still associated with corp_1 SSID. But now laptop cannot ping to 192.168.10.200 because they are on different VLANs
• Test case #2 – Guest accessUsers associated with “guest” SSID get IP address in the 192.168.1.0 subnetUsers get login page when they try to access InternetUsers cannot ping each otherUsers cannot access LAN devicesUsers can only access Internet after logging in with a valid credential
14 Colubris Networks – ©2007
User Acceptance Tests
• Test case #3 – voiceConfigure laptop wireless interface with a static IP: 192.168.10.100, 255.255.255.0
Disable laptop firewall
Connect another computer to port 7 using CAT5. Configure this computer with a static IP: 192.168.10.200, 255.255.255.0
Disable computer firewall
Laptop associated with “voice_1” SSID
Laptop can ping to 192.168.10.200
Therefore, laptop is now on VLAN20
Now connect computer (192.168.10.200) to port 5 (VLAN10)
Laptop is still associated with corp_1 SSID. But now laptop cannot ping to 192.168.10.200 because they are on different VLANs
15 Colubris Networks – ©2007
User Acceptance Tests
• Test case #3 – End-user zero configurationConfigure wireless interface with a static IP setting
IP: 2.2.2.2 Mask: 255.255.255.0 GW: 3.3.3.3 DNS: 4.4.4.4
Associate with “guest” SSID
Open browser
Login
Surf Internet
16 Colubris Networks – ©2007
User Acceptance Tests
• Test case #4 – No single point of failureConfigure laptop wireless interface with a static IP: 192.168.10.100, 255.255.255.0Disable laptop firewallConnect another computer to port 7 using CAT5. Configure this computer with a static IP: 192.168.10.200, 255.255.255.0 Disable computer firewallLaptop associated with “voice_1” SSID Laptop can ping to 192.168.10.200From laptop run command: ping 192.168.10.200 –t (continuous ping)Therefore, laptop is now on VLAN20Power off MSCLaptop is still able to continuously ping to 192.168.10.200Therefore it shows the MSC is not a single point of failure because MSC is not in data path. AP forwards traffic direct to destination