HP ProCurve J8162A, ProCurve 6400cl, ProCurve 5300xl, ProCurve 3400cl, xl Module Supplementary Manual
Access Controller xl Module Supplement
to the HP ProCurve 6400cl/5300xl/3400cl
Management and Configuration Guide.
This supplement describes the configuration, operation, and monitoring of the ProCurve Access
Controller xl Module (J8162A) on the HP ProCurve Series 5300xl switches.
Related HP ProCurve Switch 5300xl Series publications include:
■ HP ProCurve xl Modules Installation Guide
■ HP ProCurve Secure Access 700wl Series Management and Configuration Guide
HP periodically updates switch software and product manuals, and posts them on the world wide
Web. For the latest software release and publications for your HP networking product, visit
http://www.hp.com/go/procurve. Click on Software updates to check on the latest software releases.
Click on Technical support, then Product manuals (all) to check on the latest publications.
© Copyright 2005 Hewlett-Packard Company, LP. The
information contained herein is subject to change without
notice.
Publication Number
5991-2136
March, 2005
Applicable Products
HP ProCurve Switch 5304xl (J4850A)
HP ProCurve Switch 5308xl (J4819A)
HP ProCurve Switch 5348xl (J4849A)
HP ProCurve Switch 5372xl (J4848A)
HP ProCurve Switch 5304xl-G32 (J8166A)
HP ProCurve Switch 5308xl-G48 (J8167A)
ProCurve Access Controller xl Module (J8162A)
HP ProCurve Access Control Server 740wl (J8154A)
HP ProCurve Integrated Access Manager 760wl (J8155A)
Trademark Credits
Microsoft®, Windows®, and Windows NT® are US
registered trademarks of Microsoft Corporation.
Adobe® and Acrobat® are trademarks of Adobe Systems
Incorporated.
Disclaimer
The information contained in this document is subject to
change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.hp.com/go/procurve
ii
Contents
Contents
Applicable Switch Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Applicable Secure Access 700wl Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Access Controller xl Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Module Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Using 5300xl Features with the Access Controller xl Module . . . . . . . . . . . 6
Routing Infrastructure Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Using 5300xl Switch Network Address Translation with the ACM . . 11
The Role of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Static VLAN Features Supported on Client VLANs . . . . . . . . . . . . 13
General Operating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring the ACM on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring the Access Controller xl Module . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring Downlink Client Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Changing the VLAN-Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring Uplink Network Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring the Uplink VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
ACM Configuration Commands Summary and Syntax . . . . . . . . . . . . 20
Configuration Context Command Syntax . . . . . . . . . . . . . . . . . . . . 20
Access Controller Context Command Syntax . . . . . . . . . . . . . . . . 22
Displaying Access Controller xl Status from the 5300xl CLI . . . . . . . . . . . 24
ACM Display Commands Summary and Syntax . . . . . . . . . . . . . . . . . . 24
Configuration Context Command Syntax . . . . . . . . . . . . . . . . . . . . 25
Access Controller Context Command Syntax . . . . . . . . . . . . . . . . 26
Managing the ACM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Using the ACM’s Extended CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Downloading New Software to the Module . . . . . . . . . . . . . . . . . . . . . . 30
iii
Resetting the Module to Factory Defaults . . . . . . . . . . . . . . . . . . . . . . . 30
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
BIOS POST Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Applicable Switch Models
Applicable Switch Models
The Access Controller xl Module (J8162A) described in this supplement
operates on the HP ProCurve Series 5300xl switches.
The 5300xl switch software must be updated to version E.09.21 or later.
Applicable Secure Access 700wl Models
The Access Control Server 740wl or the Integrated Access Manager 760wl
must use software version 4.1.3.93 or later.
Introduction
The ProCurve Access Controller xl Module (ACM) enables secure, mobile user
access to appropriate network services on any ProCurve Series 5300xl switch.
This modular addition to the 5300xl switch offers a unique approach to
integrating identity-based user access control, wireless data privacy and
secure roaming with the flexibility of a full-featured intelligent edge switch.
Centrally configured and managed access policies provide identity-based
access control to wired and wireless users.
General Operation
The Access Controller xl Module (J8162A) uses ports on a 5300xl switch to
pass wired and wireless traffic to and from the network using authentication
and rights administration policies from an Access Control Server 740wl or an
Integrated Access Manager 760wl. Up to two ACMs may be used in a single
5300xl switch. Once the ACM is installed in the switch, connected to the
Access Control Server (740wl or 760wl), and configured for operation, it is
managed from the Administrative Console of the Secure Access 740wl or
760wl products.
1
Introduction
Related Publications
This supplement introduces Access Controller xl Module operation, configuration, and monitoring. The following two manuals provide further information:
■ For information on installing the ACM, refer to the HP ProCurve xl
Modules Installation Guide provided with the module.
■ To help you manage and configure the ACM in your network, refer to
the HP ProCurve Secure Access 700wl Series Management and
Configuration Guide, which is available from either of the following
sources:
• The Documentation CD-ROM shipped with your module
• The ProCurve Networking Web site at
http://www.hp.com/go/procurve. (Click on Technical support, then Product manuals (all).)
Terminology
Term Use in this Manual
Access Control
Server
Client A device looking to access the network.
Client VLAN A special VLAN created to handle downlink client port traffic for the ACM.
Downlink Client
Ports
Downlink Port The internal port that carries client traffic to and from the ACM. This port
A centralized resource on the network that provides services, such as
authentication management, mobility management (roaming support),
policy management, and system monitoring and reporting, to the
connected Access Controllers.
The Access Control Server is deployed as a dedicated control function
and does not sit in the user data path. The Secure Access 700wl Series
has two products that provide this capability: the ProCurve Access
Control Server 740wl and the Integrated Access Manager 760wl.
Includes the downlink client port (with untagged VLAN membership) and
the downlink port (
Series 5300xl switch ports assigned as an untagged member to a client
VLAN to supply client connectivity.
is identified by the slot ID where the module is installed, combined with
‘DP’. For example, CDP is the downlink port for an ACM installed in slot
C of a 5300xl switch.
<slot-id>DP) (with tagged VLAN membership).
2
Term Use in this Manual
Access Controller xl Module Overview
Integrated
Access
Manager 760wl
Uplink Port The internal port that carries ACM traffic to and from the network. Must
Uplink Network
Ports
Uplink VLAN The VLAN containing the uplink port as an untagged member. By default,
Combines the functionality of the ProCurve Access Controller 720wl and
the ProCurve Access Control Server 740wl in a single device.
be an untagged member of a non-client VLAN. This port is identified by
the slot ID where the module is installed, combined with ‘UP.’ For example,
CUP is the uplink port for an ACM installed in slot C of a 5300xl switch.
Any 5300xl port that is a member of the uplink VLAN.
this is the DEFAULT_VLAN on the 5300xl switch.
Access Controller xl Module Overview
The Access Controller xl Module adds new wireless security and access
control capabilities to the 5300xl switch. The module supplies identity-based
user access control to specific network services, wireless data privacy with
VPN services, and application persistence across subnet boundaries at the
edge of the network, where users connect. Centrally managed from the
ProCurve Secure Access Control Server 740wl or Integrated Access Manager
760wl, the Access Controller xl Module provides hassle-free access while
maintaining a high level of security.
3
Access Controller xl Module Overview
Module Operation
Figure 1 below presents the module’s key components. Each component is
then discussed.
Figure 1. The Access Controller xl Module Conceptual View
The Access Controller xl Module has no external ports, as shown in Figure 1.
The module uses ports on the 5300xl switch through two internal ports, the
uplink port and the downlink port. Clients, typically connecting through an
access point, connect to 5300xl ports defined as downlink client ports. The
internal uplink port passes network traffic through other 5300xl ports, which
are external uplink network ports. VLANs are used to direct traffic to and from
the ACM.
For an explanation of the module’s features and LEDs, see the HP ProCurve
xl Modules Installation Guide.
4
Access Controller xl Module Overview
Note Uplink and downlink port names depend on the switch slot where the module
is installed. When the module is in switch slot A, ‘N’ is ‘A’ in Figure 1. The uplink
port for the module is AUP; the downlink port is ADP.
The following steps are required to add an ACM to your network:
1. Install an Access Control Server 740wl or Integrated Access Manager
760wl in the network, or identify an existing 740wl or 760wl to be used
with the ACM.
2. Having identified the Access Control Server 740wl or Integrated Access
Manager 760wl to be used with the ACM, note its IP address. To operate,
the ACM must establish secure communications with the Access Control
Server or Integrated Access Manager.
The shared secret configured on the 740wl/760wl’s is also needed. If you
are already using a 760wl, you may not have configured a shared secret.
See “Editing the Access Control Server Configuration” in the HP ProCurve
Secure Access 700wl Series Management and Configuration Guide,
available on the Documentation CD-ROM shipped with your module or
from the ProCurve Networking Web site at
http://www.hp.com/go/procurve
manuals (all)).
(Click on Technical support, then Product
3. Install the ACM in a slot on the 5300xl switch. Once the Module Ready
LED is on, the ACM requires an IP address. By default, the ACM uses
DHCP. The IP address also can be set manually. The uplink port must be
an untagged member of a VLAN that can communicate with the 740wl or
760wl. The ACM establishes communication with the 740wl/760wl, using
the IP address and the shared secret from step 2 above. See the HP
ProCurve xl Modules Installation Guide for details.
4. Configure downlink client ports, client VLANs, uplink network ports, and
the uplink VLAN on the 5300xl switch. Configure access and user/group
policy rights on the 740wl/760wl to support and manage clients and client
traffic through the ACM.
5. Manage and monitor the ACM using the Administrative Console on a
740wl or 760wl.
There are specific installation and operational requirements for this device as
a module in a Series 5300xl switch. The following sections describe how the
module operates and how it is configured for use.
5
Using 5300xl Features with the Access Controller xl Module
Using 5300xl Features with the Access
Controller xl Module
As the ACM uses special ports and VLANs to provide access security to
wireless devices, not all of the features of the 5300xl switch are applicable.
For example, features that provide an alternative means of authentication are
not supported on ACM downlink client ports.
Some 5300xl configurations are not allowed by the Command Line Interface
(CLI). When a CLI command fails, a message is displayed explaining why.
Warning messages are issued when an operation could potentially cause
problems managing traffic through the ACM. For example, if a downlink client
port is assigned to a non-client VLAN, traffic could enter the network without
first being authenticated and assigned specific access rights by the ACM. In
this case, a warning message is issued stating that the port is a member of a
client VLAN. In some cases Log messages are also created when an operation
is done, noting the potential conflict with ACM operation.
Note 5300xl switch ports that are not used by the Access Controller xl Module (that
is, they are not downlink client ports, or members of client VLANs) continue
to operate as regular 5300xl ports. Their operation is not affected.
The table below presents the 5300xl switch features that are not supported
for use with an ACM module.
Table 1. 5300xl Switch Features Not Supported on an ACM
Feature Explanation
802.1X
ACL
CDP
‘x’ indicates that the feature is not supported.
6
Uplink Port
x x x Not allowed.
x x Set to off for these ports.
Downlink Client Ports
Downlink Port
Client VLANs
x Has no effect if assigned. Warning issued
Using 5300xl Features with the Access Controller xl Module
Table 1. 5300xl Switch Features Not Supported on an ACM (Continued)
Feature Explanation
Uplink Port
Configuring IP
Downlink Client Ports
Downlink Port
Client VLANs
x Not allowed.
Addresses
DHCP/DHCP Relay
IP Helper Address
Flow Control
GVRP
IGMP
Interface Monitoring
x x x x 1. GVRP cannot be enabled on an uplink,
x x x IGMP cannot be enabled on client
x x x Cannot be used as a monitoring port.
x Not allowed.
x Not allowed.
Not supported across an ACM.
downlink, or downlink client port.
2. A port in a GVRP VLAN cannot be added
to a client VLAN.
3. If GVRP is enabled on a port when it is
added to a client VLAN, it is disabled.
VLANs.As a result, it cannot be enabled on
downlink client ports.
(Port Mirroring)
Interface Provisioning:
Speed
Duplex
Flow-Control
Auto-MDIX mode
x x Fixed at 1000Mbps.
x x Fixed at Full-Duplex.
x x Not allowed.
x x Not allowed.
IP Routing/
Multicast Routing
IP Stacking
IRDP
Link Test
LLDP
‘x’ indicates that the feature is not supported.
x x Test packets not supported across an ACM.
x x Set to off.
x x No routing is done.
Not allowed.
Not supported across an ACM.
x Not allowed.
7
Using 5300xl Features with the Access Controller xl Module
Table 1. 5300xl Switch Features Not Supported on an ACM (Continued)
Feature Explanation
MAC Auth
Meshing
Uplink Port
x x x Not allowed.
x x x Not allowed
MSTP (802.1s)
OSPF
PIM
RIP
Static VLANs
Downlink Client Ports
Downlink Port
Client VLANs
x Mesh ports cannot be a member of a client
VLAN.
An MSTP region may not span across an
ACM.
x Not allowed.
x Not allowed.
x Not allowed.
See table 2 below.
Trunkinga:
LACP
FEC
Virus Throttling
Web Auth
XRRP
‘x’ indicates that the feature is not supported.
x x x x Not allowed.
x x x x Not allowed.
x x x Not supported.
x x x Not allowed.
x Not allowed.
a. A 5300xl switch trunk group that is configured using the trunk option, can
be added to a client VLAN.
8
Loading...