Using the 700wl Series System
How the 700wl Series system handles roamed sessions depends on the protocol used by the client to
connect to the 700wl Series system, and whether the client’s IP address has been mapped using NAT or
not.
• When a NAT’ed client roams between Access Controllers (rather than simply between ports on a
single Access Controller) the Access Control Server can move the entire connection state from the
original Access Controller to the “roamed-to” Access Controller. In general, sessions that are
currently running are tunneled back to the original Access Controller, but new sessions are
established through the new connection point.
• If the client is using a “real” IP address (either via DHCP or a static IP address) then all connections
are tunneled back to the original Access Controller.
• If the client is connected using PPTP or L2TP, the PPTP/L2TP session as a whole is tunneled back to
the original Access Controller.
Network Address Translation and Roaming
Based on the default Access Policy configuration, an Access Controller provides Network Address
Translation (NAT) services for clients that request a DHCP IP address when they initiate a connection
to the Access Controller. The 700wl Series system implements NAT as a form of “overloading,” where a
range of private IP addresses are mapped to a single public IP address (the IP address of the Access
Controller) by using TCP ports. When a client sends a packet through the Access Controller, the Access
Controller rewrites the IP address field and the port number field to a value that is unique within the
entire 700wl Series system and that can be used to identify any return packets.
VLANs and the 700wl Series System
The following discussion assumes that you have read Chapter 4,
Configuring Rights
and are familiar
with Connection Profiles, Access Policies, and how rights are assigned to a client in the 700wl Series
system.
The HP System provides support for Virtual LAN (VLAN) tagging in several ways:
• A client can be matched to a Connection Profile based on the VLAN ID (802.1Q tag) associated with
the client traffic
• The VLAN tag associated with client traffic can be preserved, stripped, or rewritten before the
traffic is forwarded onto the network, based on the Access Policy in force for the client.
Matching a client to a Connection Profile based on VLAN tag effectively enables you to assign an
Access Policy to clients in a specific VLAN. Clients connected to the 700wl Series system always match
a Connection Profile—by default this is the “Any” Connection Profile, which is defined as all Access
Controller ports, 24 hours a day, seven days a week, with any VLAN tag. Optionally you can create a
Connection Profile that clients will match only if their traffic matches a specific VLAN tag or is
untagged. For example,
Figure 2-13 shows the configuration of a Connection Profile to match traffic
tagged as VLAN 10.
2-24 HP ProCurve Secure Access 700wl Series Management and Configuration Guide
