Access Controller xl Module Management and Configuration Guide 2005-03

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Access Controller xl Module Supplement

to the HP ProCurve 6400cl/5300xl/3400cl

Management and Configuration Guide.

This supplement describes the configuration, operation, and monitoring of the ProCurve Access

Controller xl Module (J8162A) on the HP ProCurve Series 5300xl switches.

Related HP ProCurve Switch 5300xl Series publications include:

 HP ProCurve xl Modules Installation Guide

 HP ProCurve Secure Access 700wl Series Management and Configuration Guide

HP periodically updates switch software and product manuals, and posts them on the world wide

Web. For the latest software release and publications for your HP networking product, visit

http://www.hp.com/go/procurve. Click on Software updates to check on the latest software releases.

Click on Technical support, then Product manuals (all) to check on the latest publications.

Summary of content (38 pages)

PAGE 1
Access Controller xl Module Supplement to the HP ProCurve 6400cl/5300xl/3400cl Management and Configuration Guide. This supplement describes the configuration, operation, and monitoring of the ProCurve Access Controller xl Module (J8162A) on the HP ProCurve Series 5300xl switches.
PAGE 3
Contents Contents Applicable Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Applicable Secure Access 700wl Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Related Publications . . . . . . . . . . . . . . . . . . .
PAGE 4
Resetting the Module to Factory Defaults . . . . . . . . . . . . . . . . . . . . . . . 30 Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 BIOS POST Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 5
Applicable Switch Models Applicable Switch Models The Access Controller xl Module (J8162A) described in this supplement operates on the HP ProCurve Series 5300xl switches. The 5300xl switch software must be updated to version E.09.21 or later. Applicable Secure Access 700wl Models The Access Control Server 740wl or the Integrated Access Manager 760wl must use software version 4.1.3.93 or later.
PAGE 6
Introduction Related Publications This supplement introduces Access Controller xl Module operation, configu ration, and monitoring. The following two manuals provide further informa tion: ■ For information on installing the ACM, refer to the HP ProCurve xl Modules Installation Guide provided with the module.
PAGE 7
Access Controller xl Module Overview Term Use in this Manual Integrated Access Manager 760wl Combines the functionality of the ProCurve Access Controller 720wl and the ProCurve Access Control Server 740wl in a single device. Uplink Port The internal port that carries ACM traffic to and from the network. Must be an untagged member of a non-client VLAN. This port is identified by the slot ID where the module is installed, combined with ‘UP.
PAGE 8
Access Controller xl Module Overview Module Operation Figure 1 below presents the module’s key components. Each component is then discussed. Figure 1. The Access Controller xl Module Conceptual View The Access Controller xl Module has no external ports, as shown in Figure 1. The module uses ports on the 5300xl switch through two internal ports, the uplink port and the downlink port. Clients, typically connecting through an access point, connect to 5300xl ports defined as downlink client ports.
PAGE 9
Access Controller xl Module Overview Note Uplink and downlink port names depend on the switch slot where the module is installed. When the module is in switch slot A, ‘N’ is ‘A’ in Figure 1. The uplink port for the module is AUP; the downlink port is ADP. The following steps are required to add an ACM to your network: 1. Install an Access Control Server 740wl or Integrated Access Manager 760wl in the network, or identify an existing 740wl or 760wl to be used with the ACM. 2.
PAGE 10
Using 5300xl Features with the Access Controller xl Module Using 5300xl Features with the Access Controller xl Module As the ACM uses special ports and VLANs to provide access security to wireless devices, not all of the features of the 5300xl switch are applicable. For example, features that provide an alternative means of authentication are not supported on ACM downlink client ports. Some 5300xl configurations are not allowed by the Command Line Interface (CLI).
PAGE 11
Using 5300xl Features with the Access Controller xl Module Explanation Configuring IP Addresses x Not allowed. DHCP/DHCP Relay x Not allowed. IP Helper Address x Not allowed. Feature Uplink Port Client VLANs Downlink Client Ports Downlink Port Table 1. 5300xl Switch Features Not Supported on an ACM (Continued) Flow Control GVRP Not supported across an ACM. x x x x 1. GVRP cannot be enabled on an uplink, downlink, or downlink client port. 2.
PAGE 12
Using 5300xl Features with the Access Controller xl Module Downlink Port Downlink Client Ports MAC Auth x x x Meshing x x x Client VLANs Feature Uplink Port Table 1. 5300xl Switch Features Not Supported on an ACM (Continued) Explanation Not allowed. x MSTP (802.1s) Not allowed Mesh ports cannot be a member of a client VLAN. An MSTP region may not span across an ACM. OSPF x Not allowed. PIM x Not allowed. RIP x Not allowed. Static VLANs See table 2 below.
PAGE 13
Using 5300xl Features with the Access Controller xl Module Routing Infrastructure Support The ACM uses IP to communicate with Access Control Server 740wls, Inte grated Access Managers 760wls and Access Controller 720wls. The default gateway must be set up correctly if there is a router in the communications path. Figure 2 shows an ACM communicating with its 740wl/760wl through a router. Figure 2.
PAGE 14
Using 5300xl Features with the Access Controller xl Module The ACM does not support any routing infrastructure attached to a downlink client port. Figure 3 below shows how an ACM can be used to communicate with a lower-level, non-routed network structure through a downlink client port. Figure 3.
PAGE 15
Using 5300xl Features with the Access Controller xl Module Using 5300xl Switch Network Address Translation with the ACM The Secure Access 700wl series products and the ACM provide network address translation for client traffic. The 5300xl switch’s network address translation feature is not recommended for use with the ACM. The Role of VLANs VLANs are used by the Access Controller xl Module to manage client traffic through the switch.
PAGE 16
Using 5300xl Features with the Access Controller xl Module When a port is added to a client VLAN the following changes are made to the port: ■ Information used for ARP and MAC address processing is flushed. ■ If GVRP is enabled, it is disabled and a message is displayed. ■ If LACP passive is configured, it is disabled and a message is displayed. Downlink client ports must be members of some other VLAN before they can be removed from a client VLAN.
PAGE 17
Using 5300xl Features with the Access Controller xl Module Static VLAN Features Supported on Client VLANs Client VLANs are special and they don’t support all of the features of a regular 5300xl static VLAN. Table 2 below outlines the feature limitations of client VLANs. Table 2. 5300xl Static VLAN Features on Client VLANs 5300xl Static VLAN Feature Client VLAN Support ACLs Do not work. A warning issued. IGMP Not allowed. IP Address Not allowed. IP Helper Address Not allowed. IRDP Not allowed.
PAGE 18
General Operating Rules General Operating Rules ■ Uplink and downlink ports cannot be members of the same VLAN. ■ Switch 5300xl features used to manage ports that are connected to bridges don’t apply, as the ACM is not a bridge. ■ A client VLAN containing the downlink port, DP, is automat ically created when the ACM is installed in a 5300xl switch. The VID for this VLAN is the vlan-base (default: 2000).
PAGE 19
Configuring the ACM on the Network HPswitch (config)# access-controller where is the slot in the 5300xl where the ACM is installed. HPswitch (access-controller-id)# ip address </<1-32> | > where /<1...32> is the selected address in CIDR notation (/mask bit number), for example 10.1.2.3/24. provides the selected address and the mask.
PAGE 20
Configuring the Access Controller xl Module Configuring the Access Controller xl Module Once the module has an IP address and is communicating with its Access Control Server or Integrated Access Manager, configure downlink client ports, client VLANs, uplink network ports, and the uplink VLANs on the 5300xl switch. Configuring Downlink Client Ports Each downlink client port is automatically assigned to a unique client VLAN.
PAGE 21
Configuring the Access Controller xl Module HP ProCurve Switch 5308xl(config)# access-controller b client-ports a2,a6 HP ProCurve Switch 5308xl(config)# access-controller b HP ProCurve Switch 5308xl(access-controller-B)# show vlans Downlink: VLAN ID VLAN Name Ports 2000 VLAN2000 A2,BDP 2001 VLAN2001 A6,BDP Uplink: VLAN ID VLAN Name 1 DEFAULT_VLAN Ports A1,A3-A5,A7-A24,BUP HP ProCurve Switch 5308xl(config)# show vlans 2000 Status and Counters - VLAN Information - Ports - VLAN 2000 802.
PAGE 22
Configuring the Access Controller xl Module ■ Maximum number of client VLANs have been configured. Operation failed. The maximum number of client VLANs for this configuration has been reached. An existing client VLAN must be removed before the requested VLAN can be added. Changing the VLAN-Base When the ACM is installed in the 5300xl switch, a VLAN is created for the internal downlink port (DP). By default, this client VLAN is VLAN ID 2000, the vlan-base.
PAGE 23
Configuring the Access Controller xl Module Configuring the Uplink VLAN To change the uplink VLAN, make the internal uplink port an untagged member of a new VLAN. Be sure that the new VLAN allows communication with the 740wl/760wl, or communications is lost. HPswitch (Config)# vlan 25 untagged up where slot-id is the 5300xl switch slot where the ACM module is installed. This command configures a new uplink VLAN, VID 25, for the ACM module installed in slot n.
PAGE 24
Configuring the Access Controller xl Module ACM Configuration Commands Summary and Syntax Command Page Configuration Context access-controller 20 [no] access-controller client-ports [e] < port-list > 21 [no] access-controller client-ports vlan < vlan-list > 22 access-controller reload 22 access-controller shutdown 22 access-controller vlan-base <2-4094> 22 Access Controller Context access-control-server ip secret 2
PAGE 25
Configuring the Access Controller xl Module Syntax: [no] access-controller client-ports [ethernet] < port-list > Assigns switch ports (port-list) to separate client VLANs for the access controller in slot-id (a - h). The ports are removed from all other VLANs. GVRP and LACP port provisioning are disabled. The client VLAN has the following port membership: the switch port, as an untagged member, and the ACM’s downlink port (DP), as a tagged member.
PAGE 26
Configuring the Access Controller xl Module Syntax: [no] access-controller client-ports vlan < vlan-list > Configures client VLANs with the VIDs given, contain ing only the downlink port, (DP), as a tagged member. The no form can be used to remove client VLANs that were configured using the access-controller client-ports vlan < vlan-list > command and contain only the downlink port.
PAGE 27
Configuring the Access Controller xl Module Syntax: enable extended-commands Changes the CLI to the access controller extended com mands context. A limited set of commands from the 720wl CLI is provided here. See “Using the ACM’s Extended CLI” for more information. Syntax: exit Leaves the access controller context and returns the CLI to the global configuration context. Syntax: [no] ip address </<1-32> | > Statically configures the ip address and subnet mask for the ACM.
PAGE 28
Displaying Access Controller xl Status from the 5300xl CLI Displaying Access Controller xl Status from the 5300xl CLI Show commands are available in both the configuration context and the access controller context of the 5300xl CLI. These commands display ACM status and configuration.
PAGE 29
Displaying Access Controller xl Status from the 5300xl CLI Configuration Context Command Syntax Syntax: show access-controller Displays the following for the access controller in slot-id (a - h). Syntax: Versions ACM version information for support staff.
PAGE 30
Displaying Access Controller xl Status from the 5300xl CLI Syntax: show access-controller vlan-base Displays the starting VLAN ID (VID) for client VLANs configured by the access-controller client-ports < port-list > or the access-controller client-ports vlan < vlan-list> commands.
PAGE 31
Managing the ACM Syntax: show temperature Displays the current temperature in degrees Celsius of the main processor of the ACM module. Syntax: show vlans Displays the VLAN ID, VLAN Name, and Ports for all VLANs associated with the ACM’s uplink and downlink ports. Managing the ACM Once the module is installed and configured, most management tasks are done on the Access Control Server 740wl or Integrated Access Manager 760wl, using the Administrative Console.
PAGE 32
Managing the ACM HPswitch(access-controller-id-ext)# The available commands are listed below. Detailed descriptions are found in Appendix A, “Command Line Interface” in the HP ProCurve Secure Access 700wl Series Management and Configuration Guide.
PAGE 33
Managing the ACM Command set dhcp set dhcpserver set dns [] set domainname set forwardipbroadcasts | off | > set gateway set hostname set ip [] | /<1-32> set logopt addcat set logopt catlevel set logopt cats set logopt delcat
PAGE 34
Command show natdhcp show product show serial show sharedsecret show status show syslogserver show temperature show time show upgrade show upgradeproxy show version show vlans show vpn terminal length <2..1000> terminal width <61… 1920> Downloading New Software to the Module New software is loaded through the Access Control Server or Integrated Access Manager using the Administrative Console.
PAGE 35
Operating Notes Operating Notes ■ Bridged protocols, such as Appletalk, are supported through a single downlink client port, whose client VLAN contains the downlink port as an untagged member. This must be configured manually on the switch. Each ACM may have one downlink client port configured to support bridged protocols. ■ HP recommends that a downlink client port be a member of only one client VLAN.
PAGE 36
BIOS POST Event Log Messages Slot Access Control Module Bios POST tests failed, Post bitmap = 0xXXXX The POST error bitmap values are explained below. 32 0x0001 IDE failure. 0x0002 System memory failure. 0x0004 Shadow memory failure. 0x0020 Protected memory failure. 0x0040 CMOS not ready error. 0x0100 Periodic timer failure. 0x0800 Device configuration error. 0x1000 Memory configuration error. 0x2000 Non-volatile RAM failure. 0x4000 External or CPU cache failure.
PAGE 37
BIOS POST Event Log Messages — This page is intentionally unused.
PAGE 38
© 2005 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.