Management and Configuration Guide (Includes ACM xl) 2005-12
4-44 ProCurve Secure Access 700wl Series Management and Configuration Guide
Configuring Rights
If the IP address is not valid, the Access Controller assigns a private IP address and rewrites the
source address in packets.
Note:
With this setting it is possible that a client might receive a NAT’ed address initially, but when
the client’s DHCP lease expires, it might successfully get a valid real IP address, which would be used
as the source IP instead of a NAT’ed address.
•If NAT is never allowed (the Access Policy NAT setting is Never) the Access Controller or Integrated
Access Manager always uses the client’s real IP address (as obtained via DHCP) or its static IP
address. If the address is valid on the port or Access Controller subnet, the address is left untouched
as the source address in packets going to the network. If the client’s IP address is not valid,
however, traffic to and from the client is dropped.
Caution:
This setting is intended for use only in special cases. It should not be used for normal
clients, including Access Points and other devices.
Note: It is recommended that you configure your IP address mode consistently across Access Policies
that are related. For example, you should use the same NAT mode in the Access Policy you configure for
unauthenticated clients and in the Access Policies that will affect those clients after they have
authenticated.
Using NAT has a number of benefits for the 700wl Series system, especially in relation to roaming. If a
client has a NAT’ed IP address, when it roams to a different Access Controller its sessions can actually
be moved to the new Access Controller rather than being tunneled back through the original Access
Controller. If the client is using a real IP address, all sessions must be tunneled back through the original
Access Controller.
NAT and VPN Tunneling
The use of VPN tunneling affects IP addressing and NAT. If PPTP or L2TP is enabled for a location (via
the Specify Encryption per Location page), then addressing works as follows:
• The first DHCP request is taken to be a request for an outer tunnel address, and NAT is always used
regardless of the NAT setting in the Access Policy.
Note:
A side-effect of this behavior is that if encryption is “Allowed but not Required” in the Access
Policy, and a client connects without using a tunneling protocol, that client will always receive a
NAT’ed IP address upon making a DHCP request. The client will avoid being NAT’ed only if the client’s
group allows static IP addresses, and the client actually uses a static IP address.
• The inner tunnel address is assigned per the Access Policy NAT setting, as discussed above.
However, if Real IP mode is used, the client’s IP address is assigned as specified through the
Tunneling Configuration page—either via the external DHCP service or from a specified address
range.
The QoS Tab
QoS Markings classify and mark client traffic based on a variety of criteria, including source and
destination addresses, IP protocol, Class of Service (CoS), port/slot combination, and MAC address to
name a few. Client packets can be marked with 802.1p, DiffServ, IP Precedence, and ToS priority
settings. In addition, the QoS feature offers the ability to apply VLAN tags based on packet
classification. For more information about the different criteria and marking available for traffic
classification, see “Creating or Editing a QoS Marking” on page 4-62.