Filter
Top Products
Using the 700wl Series System
In this case, Authenticated clients with VLAN 20 tag will match the first row in the table, and will
receive access rights based on the Access Policy created for members of that VLAN. Authenticated
clients in VLAN 10 will not match the first row, but will match the second row, and receive access rights
accordingly. Authenticated clients that do not use either of these VLAN tags will fall through to the
third row and get the default set of rights for Authenticated users.
The Access Policies associated with the VLAN-specific Connection Profiles can be configured to modify
the VLAN tagging of these clients, if necessary. By default, the tag associated with the client’s traffic is
removed so the client’s traffic is sent on to the network untagged. This scenario can be useful if you
want to use the client’s VLAN membership only to assign access rights for the client, and once the
Access Policy is in place, the VLAN tag is no longer important. Optionally you can configure the Access
Policy to preserve the tag or you can replace the original tag with a different tag.
Note:
In the example above, unknown (unauthenticated) clients will match the —Any“ Connection
Profile, and thus will receive their initial logon rights and IP address assignment without regard to their
VLAN. Only after they have been authenticated will the VLAN be taken into account in assigning the
Access Policy.
In reality, when VLANs are used in a network configuration, each VLAN is commonly associated with
a specific IP subnet. The scenario described above does not accomplish that. The next section discusses
how VLANs and IP addressing interact in the 700wl Series system.
VLANs and IP Addressing
Often when VLANs are used in a network environment, each VLAN is associated with a different IP
subnet. The 700wl Series system provides limited support for this.
In the 700wl Series system, IP subnet ranges may be specified on a port-by-port basis. When a client
connects to an Access Controller and requests an IP address (assuming Real IP is allowed by the Access
Policy) the Access Controller sends a DHCP request to an external DHCP server. If a subnet range is
defined for the port in question, the DHCP request specifies an address within that range.
In order to restrict an IP range to members of a specific VLAN, you can associate a Connection Profile
that filters for the desired VLAN with the port that defines the subnet range. To accomplish this, you
would define a Location consisting of the single port in question, create a Connection Profile that
includes only that Location, and configure the Connection Profile to filter for the desired VLAN. The
limitation is that all members of the VLAN must access the 700wl Series system through the single
physical port that has the appropriate subnet range defined. While VLAN tag filtering is defined by the
Connection Profile, IP subnet addressing is defined at the physical port level.
For example, suppose you want to have all clients that are members of VLAN 10 get IP addresses in the
subnet range 192.168.150.x, and clients that are members of VLAN 20 get IP addresses in the
192.168.156.x address range. To accomplish this, you must do the following:
• Assign the 192.168.150.x subnet range to a port (for example, port 1 of slot 1) on the Access
Controller. Assign the 192.168.156.x range to a different port (for example, port 2 of slot 1).
• Create two Locations—one defined as Slot 1 Port 1 and the other defined as Slot 1 Port 2.
• Create a Connection Profile that includes only the Location you just created for Port 1, and set it to
“Match on VLAN tag 10.” Create a second Connection Profile using the Location for Port 2, matching
on VLAN 20. In the example shown in
Figure 2-15, these are named “VLAN10clients” and
“VLAN20clients.”
2-26 HP ProCurve Secure Access 700wl Series Management and Configuration Guide