Management and Configuration Guide (Includes ACM xl) 2005-12
ProCurve Secure Access 700wl Series Management and Configuration Guide 2-25
Using the 700wl Series System
Authenticated clients with VLAN 20 tag will match the first row in the table, and will receive access
rights based on the Access Policy created for members of that VLAN (VLAN20clientRights).
Authenticated clients in VLAN 10 will match the second row, and receive access rights accordingly.
The Access Policies associated with the VLAN-specific Connection Profiles can be configured to modify
the VLAN tagging of these clients, if necessary. Depending on the configuration of VLANs and subnets
present on the uplink, you can configure the Access Policy to preserve the tag or to replace it with a
different tag to ensure assignment to the appropriate subnet.
VLANs and IP Subnet Addressing
When VLANs are used in a network environment, each VLAN is typically associated with a different IP
subnet. The 700wl Series system lets you configure each Access Controller with the VLANs and
network subnets that are present on the uplink. This set of VLANs and subnets defines the Local Network
for the Access Controller. This enables the Access Controller to direct client traffic tagged with an
appropriate VLAN ID to the correct subnet.
The Access Control Server 740wl maintains the Global Network—the set of all subnets configured on the
various Access Controllers in the system, organized in Subnet Groups. A subnet group (also known as
a “SuperScope” in Microsoft terminology) is the set of IP subnets (IP address ranges) available from a
given DHCP server. Each subnet group may have multiple subnets as members, and every subnet
configured on any Access Controller is always a member of a subnet group—either an already existing
group, or one created automatically for a new subnet. For convenience, subnets can be predefined at the
Global Network level, and then associated with specific VLANs at the Local Network level on
individual Access Controllers. This can simplify the configuration task when the same subnets are
present on the uplinks of multiple Access Controllers.
Configuration of the addresses of the DHCP, DNS, and WINS servers is done through the Subnet
Groups under the Global Network, rather than on individual Access Controllers at the Local Network
level. This simplifies the configuration task when the same Subnet Group applies accross multiple
Access Controllers, and it also allows traffic on a given Access Controller to use different DHCP and/or
DNS/WINS services based on that traffic’s VLAN/IP subnet/subnet group association.
Access Policies can be used to add or manipulate the VLAN IDs associated with client traffic. When a
client is authenticated, an appropriate Access Policy will be associated with that client based on the
Identity Profile that results from the authentication. For example, clients that are authenticated via a
RADIUS server may be associated with an Identity Profile based on their group assignment in the
RADIUS database. The Identity Profile then helps determine the Access Policy that is enforced for that
client. The Access Policy can designate a VLAN ID for the client, which in turn determines the subnet
to which the client’s traffic will be directed.
QoS Marking
The QoS marking feature enables the 700wl Series system to handle IP traffic to meet the service needs
of certain applications while maintaining network use for a full range of applications and users. Current
QoS implementations often depend on the client application applying the priority tagging. However, as
more multi-use client devices come into use, it will become less acceptable to assume that the device is
either trusted or correct in how it marks its traffic. In some cases it may be necessary to explicitly
remove priority tags that have been applied by client applications.
The QoS feature can classify traffic based on 802.1p, DiffServ, IP Precedence, and ToS settings. Ingress
priority settings can be retained, mapped to different priority settings, or removed. In addition, packet