Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
1-6 ProCurve Secure Access 700wl Series Management and Configuration Guide
Introduction
To allow flexibility, the 700wl Series system provides alternate addressing schemes:
Use NAT only if the client’s IP address is on the wrong subnet, that is specifically not within the
Access Controller’s subnet. Otherwise, use the client’s real or static IP address.
Always use the client’s real or static IP address and never use NAT, regardless of the subnet. This
setting is intended for access points, and should be used with caution.
There is one case where NAT will always be used—when PPTP/L2TP tunneling is used.
“Addressing in the 700wl Series System” in Chapter 2, and Chapter 4, “Configuring Rights” provide
more extensive discussions of addressing considerations and NAT.
VLAN Tag Support
The 700wl Series system provides support for Virtual LAN (VLAN) tagging in several ways:
VLAN IDs (802.1Q tags) can be associated with uplink subnets on each Access Controller. Client
traffic is then directed to the appropriate subnet based on the VLAN tag associated with the traffic.
A VLAN ID is associated with a specific client’s traffic through the Access Policy in force for the
client. This method allows untagged client traffic to be tagged and directed to specific subnets.
The VLAN tag associate with the client traffic can be stripped, added, or rewritten before the traffic
is forwarded onto the network, based on the Access Policy in force for the client.
A client can be matched to a Connection Profile based on the VLAN ID (802.1Q tag) associated with
the incoming client traffic.
When VLANs are used in a network environment, each VLAN is typically associated with a different IP
subnet. The 700wl Series system lets you configure each Access Controller with the VLANs and network
subnets that are present on the uplink. This enables the Access Controller to direct client traffic tagged
with an appropriate VLAN ID to the correct subnet.
The Identity Profile associated with an authenticated client helps determine the Access Policy that is
enforced for that client. The Access Policy can designate a VLAN tag to be added to the client traffic,
which in turn determines the subnet to which the client’s traffic will be directed.
Matching a client to a Connection Profile based on the VLAN tag enables you to assign an Access Policy
to clients in a specific VLAN. The Access Policies associated with the VLAN-specific Connection Profiles
can be configured to modify the VLAN tagging of these clients, if necessary. By default, the tag
associated with the client’s traffic is removed so the client’s traffic is sent on to the network untagged.
This scenario can be useful if you want to use the client’s VLAN membership only to assign access rights
for the client, and once the Access Policy is in place, the VLAN tag is no longer used. Optionally you can
configure the Access Policy to preserve the tag or you can replace the original tag with a different tag.
QoS
The 700wl Series system QoS feature enables classification of traffic based on 802.1p, DiffServ, IP
Precedence, and ToS settings. Ingress priority settings can be retained, mapped to different priority
settings, or removed. In addition, packet classification can be based on a variety of other criteria,
including VLAN ID, IP protocol, source and destination IP addresses and ports, MAC address, user
identity, slot/port combination, and Ethertype.