Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
2-24 ProCurve Secure Access 700wl Series Management and Configuration Guide
Using the 700wl Series System
VLANs and the 700wl Series System
The following discussion assumes that you have read Chapter 4, “Configuring Rights” and are familiar
with Connection Profiles, Access Policies, and how rights are assigned to a client in the 700wl Series
system.
The HP System provides support for Virtual LAN (VLAN) tagging in several ways:
VLAN IDs (802.1Q tags) can be associated with uplink subnets on each Access Controller. Client
traffic is then directed to the apporiate subnet based on the VLAN tag associated with the traffic. A
VLAN ID can be associated with the client by the Access Policy for the client, which in turn can be
based on the client authentication. This method allows client traffic that enters the 700wl Series
system untagged, to be tagged and directed to specific subnets. See the discussion “VLANs and IP
Subnet Addressing” on page 2-25 for more details about this.
A client whose incoming traffic is already tagged can be matched to a Connection Profile based on
the VLAN ID associated with the client traffic. The VLAN tag associated with client traffic can be
preserved, stripped, or rewritten before the traffic is forwarded onto the network, based on the
Access Policy in force for the client.
The Network Administrator can configure each Access Controller for the set of network subnets and
VLANs that will be present on the uplink. (By default, each Access Controller always has an untagged
subnet that is used for communication between the Access Controller and the Access Control Server
740wl).
When a client is successfully authenticated, the Access Policy that applies for that client can designate a
VLAN tag for the client. All traffic from that client will be tagged with that VLAN ID, ensuring that the
client will be assigned to the appropriate subnet.
If client traffic arrives at the Access Controller already tagged, the system can filter for incoming VLAN
tags prior to authenticating the client through the Connection Profile mechanism. By filtering for tagged
traffic on the downlink, you can use the Connection Profile to associate the client with an Access Policy
that can manipulate the tag, if necessary, to ensure that the client is assigned to the correct subnet.
Figure 2-11 shows how you might set up the Rights table to filter for clients whose traffic is tagged with
a VLAN ID of 10 or 20. In this example, Connection Profile VLAN10clients matches only clients whose
traffic is tagged with VLAN = 10, and VLAN20clients matches client traffic tagged as VLAN 20.
Figure 2-11. Rights Table with VLAN Traffic Configured