WESM zl Management and Configuration Guide WT.01.28 and greater
1-37
Introduction
ProCurve Wireless Edge Services zl Module
You should take these steps to ensure that a firewall screens traffic in between a
WLAN and your private, wired network:
1. Map the WLAN to a VLAN ID that exists only on the Wireless Edge Services
zl Module (or possibly on this module and other modules that support the same
WLAN).
2. Enable routing on the Wireless Edge Services zl Module.
The module should route all wireless traffic destined to the private network. You
can add static routes to the module’s route table, but the simplest configuration
uses a single route through a default gateway. Choose a default gateway that
knows how to reach all destinations to which wireless stations need access.
3. Assign the Wireless Edge Services zl Module an IP address on the VLAN created
for the WLAN.
4. On this VLAN, configure the module’s internal DHCP server to assign IP
addresses to wireless stations. In the DHCP configuration, specify the module
as the default router.
5. Configure NAT to translate the source addresses for wireless traffic to one of the
module’s IP addresses.
You have created a unique VLAN for wireless stations, which is unknown to
devices within the wired network. NAT allows the Wireless Edge Services zl
Module to masquerade as the source of all wireless traffic, so devices in the wired
network direct all return traffic for the wireless network to the module.
For more information about NAT, see “NAT” on page 1-41 and Chapter 8:
“Configuring Network Address Translation (NAT).”
Figure 1-14 illustrates this network design.