Comware

Hi,

I have recently configured a VLAN (VLAN 2) on a HP 4208vl.
VLAN has interface IP 172.14.10.254/16
A wireless AP is plugged into VLAN 2

I have set up a scope on my DHCP 172.14.10.0-254/16

I have configured IP-Helper on VLAN 2 as DHCP is located on 10.14.10.4/16

when I connect using the wireless AP - I still recieve IP address from default DHCP Scope (I get 10.14.10.X)

What am I missing - Why do I not get an address frome the 172 scope?

Thanks,

which of your access point device

and please send me show run print your switch

ProCurve Switch 4208vl# show run

Running configuration:

; J8773A Configuration Editor; Created on release #L.10.23

hostname "ProCurve Switch 4208vl"
module 1 type J8768A
module 3 type J8768A
module 4 type J8768A
module 5 type J8768A
module 2 type J9033A
ip default-gateway 10.14.40.254
ip routing
ip irdp
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B17,B21-B24,C1-C24,D1-D24,E1-E24
ip address dhcp-bootp
no untagged B18-B20
exit
vlan 2
name "VLAN_Wire"
ip address 172.14.10.254 255.255.0.0
ip helper-address 10.14.10.4
tagged A18,B17-B20
exit
vlan 10
name "management"
ip address 10.0.10.1 255.255.255.0
tagged B17
exit

The AP is a HP Procurve 420

your switch configuration is true
we can check access point

please send me
show system and show ssid index 1-2...
print on 420

info attached

...and thanks for your time Cenk.

your access point configuration vlan stata is disable
please enter this command on access point

420(config)#vlan enable static

and retest

I am now unable to get an IP address from DHCP?

which port connect to switch your access point

and which port connect your dhcp server

Port B17

I just set it to tagged on Default LAN - no difference.

DHCP Server is on A1

we must come back switch config

ip helper command runing with routing
but your have not ip address default vlan
your dhcp server in default vlan

please change switch config

ip routing
ip irdp
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B17,B21-B24,C1-C24,D1-D24,E1-E24
ip address 10.14.10.254 255.255.0.0********
no untagged B18-B20
exit
vlan 2
name "VLAN_Wire"
ip address 172.14.10.254 255.255.0.0
ip helper-address 10.14.10.4
tagged A18,B17-B20
exit
vlan 10
name "management"
ip address 10.0.10.1 255.255.255.0
tagged B17
exit

and dhcp server default gateway address must have vlan 1 ip address(10.14.10.254)

the DEFAULT_VLAN is my LAN - how will this affect PCs on the LAN?

The DHCP current IP is 10.14.10.4

does not affect any of the

give me a few minutes you'll be prepared for a new general configuration

I've assigned default_vlan IP address 10.14.10.254

Default gateway for DHCP Scope 172.14.10.0-254/16 is now 10.14.10.254.

a laptop connecting via wireless network cannot get IP address from DHCP

---------------switch config----------------
ip default-gateway 10.14.40.254
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B2-B24,C1-C24,D1-D24,E1-E24
ip address 10.14.10.254 255.255.0.0
no untagged B18-B20
exit
vlan 2
name "guest"
ip address 10.15.10.254 255.255.0.0
ip helper-address 10.14.10.4
untagged B1
tagged A1-A24,B2-B24,C1-C24,D1-D24,E1-E24
exit

----------------dhcp config-----------------
ip address 10.14.10.4 ***connect port A1
subnet mask 255.255.0.0
default gateway 10.14.10.254 !!!!!!

scobe 1 for lan
range 10.14.---255.255.0.0
default gateway 10.14.40.254


scobe 2 for guest
range 10.15.--- 255.255.0.0
default gateway 10.15.10.253

-----------------internet router--------------
already running one lan interface on router
10.14.40.254 this interface connect port A2

you must have create new isolated lan interface on internet (samely DMZ)
router second lan interface ip address must have 10.15.10.253 this interface connect B1

--------------access point--------

your access point config Keep as
only change ip address for example 10.14.10.200/16
and connect on any switch port

your switch don't support access control list
for this reason, such a configuration to make the necessary security and perfromans

you must have create second lan interface for guest wireless users on internet router for their internet connection

with this configuration one dhcp server serve all guest and lan user each other without mixing

please test and say me result

good evening

Thanks Cenk,

i shall give this a go and see if I can get it working.

Good morning,

right, changing the Default Gateway on the DHCP solves the problem of clients getting DHCP IP addresses - however causes authentication problems with OWA - I have ISA in DMZ authenticating OWA access.

is there a way round this?

I can use the 2nd NIC card on the server?

please send me network layout

and current switch config

my current network attached - I still need to set up lan interface 0/3 on the firewall

also need to connect second DHCP NIC to switch probably on port A2

module 2 type J9033A
ip default-gateway 10.14.40.254
ip routing
ip irdp
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B17,B21-B24,C1-C24,D1-D24,E1-E24
ip address 10.14.10.254 255.255.0.0
no untagged B18-B20
exit
vlan 2
name "Guest"
untagged B18
ip address 10.15.10.254 255.255.0.0
ip helper-address 10.14.10.4
tagged A1,A18,B17,B19-B20
exit
vlan 10
name "management"
ip address 10.0.10.1 255.255.255.0
tagged B17
exit

ProCurve Switch 4208vl#

all lan user default gateway address 10.14.40.254
and connecting internet
but user unreachable isa server

is their true ?

Your firewall may make the task of the dhcp server?

Yes ISA server unreachable more or less.
using firewall as the DHCP will solve the issue.

port 0/3 will now go straight to the internet with a seperate external IP mapped to VLAN2.
on VLAN 2 i setup ip-helper to point to port 0/3 configured as DHCP

the other problem I haven't given much thought to is how users using SSID 2 (internal) will access the LAN?

thanks Cenk for all your help.
I'm almost there.

4200 series switch unable access control list between vlan's or ports


when enable ip routing on switch all vlan's between routing so vlan 2 users reachable vlan 1 user

this will be cut with normal access acl
but your switch do not support acl

so we had to make such a configuration

but inside me is not comfortable because this config not very safe

if vlan 2 user change default gateway address manually then may connect vlan 1 user


I'd like to change this konfigrasyonu, but you should fire wall served as a dhcp server

can you create two dhcp scope on fire wall

for port 0/3?

on dhcp scobe (on firewall)port0/3 and one dhcp scobe (on firewall)port0/0

so

scobe 1 for 10.14.0.0 network
scobe 2 for 10.15.0.0 network

is this possible ?

stop using windows 2003 server as DHCP?

it is possible but I would rather not do that.

why ?

yes stop dhcp server for more security and easy config.

Why do not you prefer

I'll get back to you Cenk.

---------------------switch config---------------------
module 2 type J9033A
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E23
no untagged E24
exit
vlan 2
name "Guest"
untagged B18
tagged A1-A24,B1-B24,C1-C24,D1-D24,E1-E23
exit
vlan 10
name "management"
ip address 10.0.10.1 255.255.255.0
untagged E24
exit
management vlan 10

1-ip routing must have disable with no ip routing command)
2-no needed ip default gateway command
3-no needed ip helper-address
4-all port untag vlan 1 and tag vlan 2 for flexible
access point connection
5-interface e24 only switch managemet with 10.0.10.0 network
6-add "management vlan 10" command for better securiy switch logon
telnet or wen only this port
7-no need vlan 1 and vlan 2 ip address
so we make strongly sperate two vlan
8-access point configuration will remain the same
and you can connect any port

--------------------firewall config--------------------
firewall configuration will remain the same
only added two dhcp scobe
for 10.14.0.0 network
for 10.15.0.0 network

scobe 1 default gateway address
for 10.14.0.0 must have 10.14.40.254

scobe 2 default gateway address
for 10.15.0.0 default gateway 10.15.10.253

and deny lan to lan routing between interface 0/0 and 0/3
in this way we use access list on firewall:)

your swich role only L2 on network

most secure and easy config

please test

hi,

Boss is not happy with using firewal for DHCP on LAN - we currently have two DHCP on LAN for failover.

Firewall would be a single point of failure.

your lan already running current dhcp
other guest vlan running on firewall dhcp with same config

in this way we use two dhcp on your system

your local dhcp on windows machine and your guest dhcp on firewall

Hi Cenk,

I've now completed my config: Diagram attached.

I created DHCP on firewall on port 0/3 and it is giving out addresses to SSID 1 correctly.

Users on SSID 2 are using DHCP on the LAN.

It is secure - even if you change IP address and gateway manually while on SSID 1 you are not able to access the LAN.

I still need to complete management vlan.

current switch config:
Startup configuration:

; J8773A Configuration Editor; Created on release #L.10.23

hostname "ProCurve Switch 4208vl"
module 1 type J8768A
module 3 type J8768A
module 4 type J8768A
module 5 type J8768A
module 2 type J9033A
ip default-gateway 10.14.40.254
ip routing
ip irdp
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged A1-A24,B1-B17,B21-B24,C1-C24,D1-D24,E1-E24
ip address 10.14.10.254 255.255.0.0
no untagged B18-B20
exit
vlan 2
name "YMGuest"
untagged B18
ip address 10.15.10.254 255.255.0.0
ip helper-address 10.15.10.253
tagged A1,A18,B17,B19-B20
exit

I have completed the configurations I was having problems with.

Thanks to Cenk.

Hopefully someone might find the thread/solution useful.