WESM zl Management and Configuration Guide WT.01.XX and greater
1-39
Introduction
ProCurve Wireless Edge Services zl Module
You should take these steps to ensure that a firewall screens traffic in between
a WLAN and your private, wired network:
1. Map the WLAN to a VLAN ID that exists only on the Wireless Edge Services
zl Module (or possibly on this module and other modules that support the
same WLAN).
2. Enable routing on the Wireless Edge Services zl Module.
The module should route all wireless traffic destined to the private
network. You can add static routes to the module’s route table, but the
simplest configuration uses a single route through a default gateway.
Choose a default gateway that knows how to reach all destinations to
which wireless stations need access.
3. Assign the Wireless Edge Services zl Module an IP address on the VLAN
created for the WLAN.
4. On this VLAN, configure the module’s internal DHCP server to assign IP
addresses to wireless stations. In the DHCP configuration, specify the
module as the default router.
5. Configure NAT to translate the source addresses for wireless traffic to one
of the module’s IP addresses.
You have created a unique VLAN for wireless stations, which is unknown
to devices within the wired network. NAT allows the Wireless Edge
Services zl Module to masquerade as the source of all wireless traffic, so
devices in the wired network direct all return traffic for the wireless
network to the module.
For more information about NAT, see “NAT” on page 1-43 and Chapter 8:
“Configuring Network Address Translation (NAT).”
Figure 1-14 illustrates this network design.