Tuesday, 16 December 2014

WiFi: Setting up HP Switches and WAPs

Setting up HP Switches and WAPs


Our wireless solution was purchased over 2 years (Summer 11 & Summer 12) from Computer Systems in Education (CSE).

CSE Education Systems Ltd
Goodman's Yard
New Yatt Road
North Leigh
OX29 6TN
Tel: 01993 886688
Fax: 01993 886666

CSE have cabled all the AP points, and configured the controller and the first batch of switches that were installed during August 2011.


PoE Switches

HP Procurve 2520G-8-POE

HP E-MSM430 Dual Radio 802.11n Access Points
WIFI Controller

MSM765 Integrated Controller (Module within core switch)
Username: admin
Password: s********3m

WIFI Controller options

There are 3 VSDs configured:


Purpose: For users who do not exist in Active Directory

HP Visitor Management software must be used to create temporary accounts to permit guest access.

Users can connect to this VSD without providing an initial key/password, but on first use are redirected to a login page which authenticates against the local user database on the controller.


Purpose: For users who exist in Active Directory but who are using unknown devices.

Users can connect to this VSD without providing an initial key/password, but on first use are redirected to a login page which authenticates against Active Directory.


Purpose: For known users on known devices (e.g. students using College laptops)

Connection to this VSD requires the valid WPA2 key to be entered. 

This key must never be given to anybody outside of IT Services. 

It is used on College owned equipment which are members of Active Directory and have up to date antivirus protection.

Guest access
Controller à Users à Account Profiles
There are 3, but we don’t use Default AC
Known users are found in AD, Unknown users are local on the controller

Each profile uses the Access List ‘sccunknowndevice’ (Access Control List)
At present both profiles are the same

Account profiles are associated with User accounts

NB. For ACLs go to Public Access à Attributes

Active Directory Users

Controller à Authentication à Active Directory

Switch Configuration

The PoE switches must be configured before use.


Manager password

Set this to the standard switch password.

Do not set up a username or an operator password

Spanning tree
Enable this

This is the default and already exists

IP Address

Use the spreadsheet called IP Address – Switches from within the Network System folder.

If the switch already exists in the spreadsheet, ensure the correct IP address is used.  If not, add the details to the spreadsheet (location in spreadsheet is based on cabinet location).


Use the appropriate subnet for the location of the switch
Default Gateway

Use the appropriate Gateway for the location of the switch

Configure this to be on

This needs creating and configuring


Untagged ports

1 to 8
Tagged ports

10 (used for uplink to existing network switch)

Configure this to be on

Don’t forget to save your settings before you exit else they will be lost the next time the switch loses power (WR MEM).

Other switch configuration

Every switch port in the ‘journey’ between the Core Switch and the Edge PoE switch you have just configured must be aware of the Wireless VLAN (30) and configured to use it.

Each switch port concerned must be Tagged on VLAN 30.  (NB: Tagged NOT Untagged).

So, if the PoE switch (port 10) is connected to Switch X (port 46) and Switch X (port 48) is connected to the Core Switch (port A12) then every one of these switches must have VLAN 30 (Wireless) configured and the relevant port tagged.

This needs creating and configuring if it does not already exist


Untagged ports

Tagged ports

Whichever ports are used in the ‘journey’ between the Core Switch and the edge PoE switch


Configure this to be on

Appendix: Other RDE Notes
WPA2 Key:              ITServices11

Smoothwall Port 805

manager = #

vlan 30
show vlan 30
show lldp I r

On core switch, vlan 30, links to edge switched need to be tagged
Directly connected APs must be untagged

On edge switch
Show run – displays the config
Vlan 30 (This adds the vlan)
Name wireless
Ip igmp – adds multicast filtering
Tagged 47,48
Wr mem

Show lldp I r 48 (where 48 is a port number)
This will give IP address of new switch (for telnet)

New 8 port switch
Hostname MF1A-Model
Vlan 1
Ip address

(you will lose connection to switch)


vlan 1
ip igmp

vlan 30
name wireless
ip igmp

show lldp I r (see uplink port)
tagged 10
untagged 1-9

show interfaces

Back to config

Password manager (enter)

RDE, 8th November 2012.

Knowledge base:
  • Edge switch: Here, edge switch or other switch means all the link switches between the Core switch and PoE switch.

  • Tagged port: You have HP switch. When you see a port that is tagged it is a trunk port (meaning there is multiple VLANs on that port) each VLAN gets an ID (tag) when you have multiple VLANs on a port you have tagging enabled to separate the traffic so it stays on its same VLAN, on ports that only belong to one VLAN do not need tagging as all traffic will be on the same VLAN. so to simply answer your question a tagged port is a trunk port. This is different from the 802.1q tunnelling but is 802.1q VLAN Trunking.

Whether a port is tagged or not is dependent mainly on how many VLANs are on a particular port. The standard for this is based on 802.1Q.The standard states that on any given port you can have one untagged VLAN. This means that you can have one VLAN per port and there is no need to tag the port. Tagging means that the port will send out a packet with a header that has a tag number that matches the VLAN tag number. If there is only one VLAN there is no need to distinguish what VLAN the traffic is for as there is only one. When there are more than one VLAN per port the port must differentiate what VLAN each packet is destined to. So for example if we have 3 VLANs on port 1 VL1, VL2, VL3 and I am sending out a packet on each one I have to have a way to tell the other side which packet is for which VLAN. So if the .1Q tag for VL1 is 1 and for VL2 is 2 and VL3 is 3 then the port will insert a header with the right tag number on each packet. The other side needs to be set up the same way and will see that if a packet of 1 comes in it will forward it on VL1.So when a port is tagged it inserts and receives packets with the 802.1Q tag for every packet that has a VLAN on it. The standard does allow for one untagged VLAN per port as mentioned above which means that you could have VL1 with no tag and VL2 and VL3 with tags because technically all three VLANs are unique. Any packet that has no tag will go to VL1. This is what Cisco does with their native VLAN.

  • DHCP Tool: Use the dhcp server tool to find the switch dhcp ip address

  1. PoE switch
    1. Find out the IP Address using help of DHCP
    2. Find the other switch it is connected with link port
  2. Requirement for other Main Switch
    1. Find the port number of the switch it is connected to PoE switch
    2. Find how many port switch is it? (24 port or 48 port)
    3. Make note of the link port: Which port are connected by fibre link
    4. Find the ip address of this switch from “IP Addresses - Switches.xls” file
    5. Open a browser and type the ip address
                                                              i.      Go to the “Configuration” tab
·         Look at the link ports and check if it matches
                                                            ii.      When you are certain about the other main switch ip address then
·         Open command prompt
·         Type: telnet ip_address and press enter
·         Type password
·         It will open up telnet connecting to the switch in configuration mood: #
                                                          iii.      Type: show lldp i r 2 (2 is the port of the PoE switch connected to). Output will be the
·         ip_address of the PoE switch,
·         port_id of the PoE switch

  1. Repeat step 2 to find the ip_address and port for all other switches involved
  2. Now time to configure all the related  switches and port 

No comments:

Post a Comment