configuration guide for vlan - cos5.3

1 Colubris Networks – ©2007

Configuration & DeploymentVLAN Lab

Colubris Intelligent Multiservice SystemCore Products & Management Solutions

Operation and Configuration


Lab Exercises

• Lab #4 – 3.5 hoursAdvanced enterprise deployment scenario (VLANs)

Secure corporate data access using WPA2-PSK on VLAN 10 VoWiFi using WEP on VLAN 20 Guest access using captive portal (login page) Guest users must be on a separate IP range and subnet from

staff Guest users must obtain 24-hour account to login via web page Guest users cannot access corporate network resources Guest users can only access Internet

Objective: demonstrate the ability to: Configure and deploy a VLAN-based enterprise WLAN with

guest access over an existing network


Lab #4 Network

Router

To Internet

MSC5000 series controller

MAP300 seriesAccess Point

(controlled mode)

Port 1192.168.2.b

Internet Port192.168.2.a

LAN Port192.168.1.1

(unconnected)

DHCP server on192.168.1.x

DHCP server onLAN: 192.168.2.254

192.168.2.0/24 (Native VLAN = 1)

SSID11. SSID: “corp_1”2. WPA-PSK: 123456783. No access control4. VLAN10

SSID21. SSID: “voice_1”2. WEP: 123453. No access control4. VLAN20

IP: 192.168.10.xGW: 192.168.10.1

IP: 192.168.10.xGW: 192.168.10.1

Management traffic 1(UT)

VMT

SSID31. SSID: “guest_1”2. No encryption3. Access controlled4. No VLAN (L2GRE)

IP: 192.168.1.xGW: 192.168.1.1

10(T)20(T)

L2GRE tunnel for centralized access controlled traffic 1(UT)

1(UT)1(UT)

1(UT)

PC on VLAN10

PC on VLAN20

10(UT)20(UT)


Lab #4 Switch Configuration

VLAN Switch

1 2 3 4 5 6 7 8

1U 1U 1U 1U 10U 10U 20U 20U

To

rout

er d

owns

trea

m

To

MS

C In

tern

et p

ort

To

VM

T P

C

To

MA

P32

0 P

ort 1

10T20T

To

VLA

N 1

0 ne

twor

k

To

VLA

N 1

0 ne

twor

k

To

VLA

N 2

0 ne

twor

k

To

VLA

N 2

0 ne

twor

k

Port Native VLAN

Member VLANs

Type Connect to

1 1U - Router

2 1U - MSC Internet

3 1U - VMT PC

4 1U 10T,20T Trunk,dot1q MAP320

5 10U - VLAN10

6 10U - VLAN10 test

7 20U - VLAN20

8 20U - VLAN20 test


Configuration Procedure

• Initial stepsConfigure VLAN switch according to Slide #4Getting the MSC up

Factory reset MSC Connect laptop to MSC LAN port Set laptop to static IP 192.168.1.2 Open browser to http://192.168.1.1 Login to MSC using “admin”, “admin” Set Country to Canada

• Setup networkConfigure the MSC Internet port

MSC > Service Controller > Network > Ports > Internet PortConfigure DNS

MSC > Service Controller > Network > DNSConfigure default gateway

MSC > Service Controller > Network > IP Routes



• Setup DHCP server on MSCConfigure DHCP server

MSC > Service Controller > Network > Address Allocation > DHCP Server

• Setup Device Discovery, SNMPEnable device discovery on Internet port

MSC > Service Controller > Management > Device Discovery > Check Internet port

Enable SNMP on Internet port MSC > Service Controller > Management > SNMP > Check Internet port



• Setup VSCs (SSID profiles)Configure guest access SSID

MSC > VSC > VSC Profile• Profile name and SSID set to guest_1• Check Authentication and Access Control• Check HTML-based user login• Check Authentication > Local (since we will be using the MSC’s local user

accounts)• Check Client Tunnel Data > Always tunnel client traffic

Configure corporate SSID MSC > VSC > Add New VSC Profile

• Profile name and SSID set to corp_1• Uncheck Authentication and Access Control• Enable Wireless Protection > WPA-TKIP, Preshared key and use: 12345678• Uncheck Wireless Security Filter



• Setup VSCs (SSID profiles)Configure voice SSID

MSC > VSC > Add New VSC Profile• Profile name and SSID set to voice_1• Uncheck Authentication and Access Control• Enable Wireless Protection > WEP, and use: 12345 (ASCII)• Uncheck Wireless Security Filter



• Bind VSC to the groupBind corp_1 VSC

Select Default Group (where the APs are) Click VSC Bindings > Add New Bindings Select corp_1 VSC from dropdown Check Egress VLAN and enter 10

Bind voice_1 VSC Select Default Group (where the APs are) Click VSC Bindings > Add New Bindings Select voice_1 VSC from dropdown Check Egress VLAN and enter 20

There should be a total of 3 VSC bindings

• Create access list to prevent guest users from access corporate networkConfigure access list

MSC > Public Access > Attributes > Add New Attribute…. Select “ACCESS-LIST” and enter: colubris,DENY,all,192.168.2.0/24,all Select “USE-ACCESS-LIST” and enter: colubris



• Enable zero-configuration features for guest accessSupport any static IP

MSC > Public Access > Access Control > Zero Configuration > Support users that have a static IP Address

MSC > Public Access > Access Control > Zero Configuration > Support applications that use: HTTP proxy

Change MSC’s HTTP port Because most ISP’s HTTP proxy uses port 8080, this will conflict with

the MSC’s default unsecured authentication port, so this port needs to be changed if you wish to support clients that use HTTP proxy server

MSC > Public Access > Web Server > Ports > HTTP > Change the default port 8080 to 58080 (something not commonly use by ISP)



• Create guest account(s)Create subscription plan for 24-hour use

MSC > Service Controller > Users > Subscription plans > Add new plan Enter plan name: 24-hour voucher Check Online time and select 24 hours Check validity period and check For 24 hours after first login

Create local guest account MSC > Service Controller > Users > User Accounts > Add New Account Enter username: demo, password: procurve Under Validity, select Subscription plan and select the subscription plan

created above Check VSC usage and select the guest SSID and click on left arrow



• Connect the MAP to the networkMAP boot sequence

Power cycle (power LED blink slowly) DHCP requests (power LED blink slightly faster) MSC discovery (3 LEDs light up in running sequence 1-2-3)

• This uses UDP broadcasts by default

MAP establish secure management tunnel to MSC (power LED stays on, the other two LEDs blink alternately 1-2-1-2)

• Firmware downloads and configuration downloads happen at this stage

MAP is fully connected and configuration downloaded and ready to offer wireless services (power LED stays on, the other two LEDs are off unless there is traffic on the LAN or wireless)

The WLAN service is up and running


User Acceptance Tests

• Test case #1 – Corporate data accessConfigure laptop wireless interface with a static IP: 192.168.10.100, 255.255.255.0Disable laptop firewallConnect another computer to port 5 using CAT5. Configure this computer with a static IP: 192.168.10.200, 255.255.255.0 Disable computer firewallLaptop associated with “corp_1” SSID Laptop can ping to 192.168.10.200Therefore, laptop is now on VLAN10Now connect computer (192.168.10.200) to port 7 (VLAN20)Laptop is still associated with corp_1 SSID. But now laptop cannot ping to 192.168.10.200 because they are on different VLANs

• Test case #2 – Guest accessUsers associated with “guest” SSID get IP address in the 192.168.1.0 subnetUsers get login page when they try to access InternetUsers cannot ping each otherUsers cannot access LAN devicesUsers can only access Internet after logging in with a valid credential



• Test case #3 – voiceConfigure laptop wireless interface with a static IP: 192.168.10.100, 255.255.255.0

Disable laptop firewall

Connect another computer to port 7 using CAT5. Configure this computer with a static IP: 192.168.10.200, 255.255.255.0

Disable computer firewall

Laptop associated with “voice_1” SSID

Laptop can ping to 192.168.10.200

Therefore, laptop is now on VLAN20

Now connect computer (192.168.10.200) to port 5 (VLAN10)

Laptop is still associated with corp_1 SSID. But now laptop cannot ping to 192.168.10.200 because they are on different VLANs



• Test case #3 – End-user zero configurationConfigure wireless interface with a static IP setting

IP: 2.2.2.2 Mask: 255.255.255.0 GW: 3.3.3.3 DNS: 4.4.4.4

Associate with “guest” SSID

Open browser

Login

Surf Internet



• Test case #4 – No single point of failureConfigure laptop wireless interface with a static IP: 192.168.10.100, 255.255.255.0Disable laptop firewallConnect another computer to port 7 using CAT5. Configure this computer with a static IP: 192.168.10.200, 255.255.255.0 Disable computer firewallLaptop associated with “voice_1” SSID Laptop can ping to 192.168.10.200From laptop run command: ping 192.168.10.200 –t (continuous ping)Therefore, laptop is now on VLAN20Power off MSCLaptop is still able to continuously ping to 192.168.10.200Therefore it shows the MSC is not a single point of failure because MSC is not in data path. AP forwards traffic direct to destination

configuration guide for vlan - cos5.3

Documents