Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
ProCurve Secure Access 700wl Series Management and Configuration Guide 1-5
Introduction
Roaming Support
One of the key features of the 700wl Series system is its support of layer 3 roaming—enabling clients to
move around physically between access points without having to reauthenticate or establish a new
session.
Because the 700wl Series system identifies clients by MAC address, it is simple to detect when a device
roams. A Linger Timeout determines the length of time a client has to complete a roam, that is to appear
at a new physical location after disappearing from the old physical location. The settings for timing out
a roaming client are part of the client’s assigned Access Policy; different clients can have different
settings and one client can have different settings depending on their location, time of day, and so on.
If the client completes the roam within the linger time, no reconnect or authentication is needed—the
client’s connection state is maintained intact. If the client fails to complete the roam before the linger
timer expires the 700wl Series system concludes the client has actually disconnected and logs the client
off.
Roaming support is discussed in more detail in “VLANs and the 700wl Series System” in Chapter 2,
“Using the 700wl Series System”.
Network Address Translation
By default, an Access Controller provides Network Address Translation (NAT) services for clients that
request a DHCP IP address when they initiate a connection to the Access Controller. The 700wl Series
system implements NAT as a form of “overloading,” where a range of private IP addresses are mapped
to a single public IP address (the IP address of the Access Controller) by using TCP ports. When a client
sends a packet through the Access Controller, the Access Controller rewrites the IP address field and
the port number field to a value that is unique within the entire 700wl Series system and uses this
unique identifier for returned packets.
Although NAT is enabled by default in the 700wl Series system you can elect whether to use it or not
depending on your application. Following are some points in favor of using NAT within the 700wl
Series system:
NAT makes roaming much more efficient. Because each NAT address is unique for the entire 700wl
Series system, the client’s connection state can be moved to the nearest Access Controller while
roaming, rather than requiring every connection to be tunneled back to the original Access
Controller.
NAT provides some amount of protection to a client since no device other than an Access Controller
can talk directly to the client. This provides rudimentary firewall protection.
Allowing NAT can ensure that a client will be able to successfully communicate with the network—
if NAT is not allowed, and a client has an IP address that is not within the subnet used by the Access
Controller, return packets will not be able to reach the client. A client having an IP address not
within the Access Controller’s subnet can occur if the client uses a static IP address or receives an IP
address from an external DHCP server.
However, certain applications may require a host or server system to know the actual IP address of a
client. Some examples include multi-player games, file transfer in Instant Messenger applications, and
other peer-to-peer applications.