HP ProCurve xl Modules Installation Guide HP ProCurve Secure Access 700wl Series Management and Configuration Guide HP periodically updates switch software and product manuals, and posts them on the world wide Web. For the latest software release and publications for your HP networking product, visit http://www.hp.com/go/procurve.
(J4850A) The only warranties for HP products and services are set (J4819A) forth in the express warranty statements accompanying (J4849A) such products and services.
Applicable Switch Models ........
Resetting the Module to Factory Defaults ..... . . 30 Operating Notes ..........31 BIOS POST Event Log Messages .
Applicable Switch Models Applicable Switch Models The Access Controller xl Module (J8162A) described in this supplement operates on the HP ProCurve Series 5300xl switches. The 5300xl switch software must be updated to version E.09.21 or later. Applicable Secure Access 700wl Models The Access Control Server 740wl or the Integrated Access Manager 760wl must use software version 22.214.171.124 or later.
The following two manuals provide further informa tion: For information on installing the ACM, refer to the HP ProCurve xl Modules Installation Guide provided with the module. To help you manage and configure the ACM in your network, refer to...
VLAN. This port is identified by the slot ID where the module is installed, combined with ‘UP.’ For example, CUP is the uplink port for an ACM installed in slot C of a 5300xl switch. Uplink Network Any 5300xl port that is a member of the uplink VLAN.
5300xl ports, which are external uplink network ports. VLANs are used to direct traffic to and from the ACM. For an explanation of the module’s features and LEDs, see the HP ProCurve xl Modules Installation Guide.
VLAN that can communicate with the 740wl or 760wl. The ACM establishes communication with the 740wl/760wl, using the IP address and the shared secret from step 2 above. See the HP ProCurve xl Modules Installation Guide for details.
ACM operation. Note 5300xl switch ports that are not used by the Access Controller xl Module (that is, they are not downlink client ports, or members of client VLANs) continue to operate as regular 5300xl ports. Their operation is not affected.
Using 5300xl Features with the Access Controller xl Module Table 1. 5300xl Switch Features Not Supported on an ACM (Continued) Feature Configuring IP Addresses DHCP/DHCP Relay IP Helper Address Flow Control GVRP IGMP Interface Monitoring (Port Mirroring) Interface Provisioning: Speed...
LACP Virus Throttling Web Auth XRRP ‘x’ indicates that the feature is not supported. a. A 5300xl switch trunk group that is configured using the trunk option, can be added to a client VLAN. Explanation Not allowed. Not allowed Mesh ports cannot be a member of a client VLAN.
Using 5300xl Features with the Access Controller xl Module Routing Infrastructure Support The ACM uses IP to communicate with Access Control Server 740wls, Inte grated Access Managers 760wls and Access Controller 720wls. The default gateway must be set up correctly if there is a router in the communications path.
Using 5300xl Features with the Access Controller xl Module The ACM does not support any routing infrastructure attached to a downlink client port. Figure 3 below shows how an ACM can be used to communicate with a lower-level, non-routed network structure through a downlink client port.
VLAN, which by default is the 5300xl DEFAULT_VLAN. All switch ports that belong to the uplink VLAN are uplink network ports. The uplink VLAN may be changed by creating a new VLAN and assigning the uplink port to it as an untagged member.
<slot-id> client-ports vlan <vlan-list> command from the con- figuration context. The VLANs are created with only the downlink port, <slot-id>DP, as a tagged member. Later you can use VLAN commands from the 5300xl CLI to add switch ports to this VLAN as downlink client ports.
Using 5300xl Features with the Access Controller xl Module Static VLAN Features Supported on Client VLANs Client VLANs are special and they don’t support all of the features of a regular 5300xl static VLAN. Table 2 below outlines the feature limitations of client VLANs.
ACM is not a bridge. A client VLAN containing the downlink port, <slot-id>DP, is automat ically created when the ACM is installed in a 5300xl switch. The VID for this VLAN is the vlan-base (default: 2000). You cannot remove a client VLAN if it is the only remaining VLAN with the downlink port as a member.
HPswitch (config)# access-controller <slot-id> where <slot-id> is the slot in the 5300xl where the ACM is installed. HPswitch (access-controller-id)# ip address <<ip-addr>/<1-32> |<ip-addr> <mask>> where <ip-addr>/<1...32> is the selected address in CIDR notation (/mask bit number), for example 10.1.2.3/24. <ip-addr> <mask> provides the selected address and the mask. If necessary, use the following command to set or change the default gateway: HPswitch (access-controller-id)# ip default-gateway <ip-addr>...
(2001, 2002, 2003, ...). If two Access Controller xl Modules are installed in the 5300xl switch, the vlan-base is the VID of the first client VLAN configured by either ACM. The next client VLAN configured on either ACM uses the next available sequential VID.
HP ProCurve Switch 5308xl(config)# access-controller b client-ports a2,a6 HP ProCurve Switch 5308xl(config)# access-controller b HP ProCurve Switch 5308xl(access-controller-B)# show vlans Downlink: VLAN ID 2000 2001 Uplink: VLAN ID HP ProCurve Switch 5308xl(config)# show vlans 2000 Status and Counters - VLAN Information - Ports - VLAN 2000 802.1 Q VLAN ID : 2000...
VLAN can be added. Changing the VLAN-Base When the ACM is installed in the 5300xl switch, a VLAN is created for the internal downlink port (<slot-id>DP). By default, this client VLAN is VLAN ID 2000, the vlan-base. You may change this using the following command.
740wl/760wl, or communications is lost. HPswitch (Config)# vlan 25 untagged <slot-id>up where slot-id is the 5300xl switch slot where the ACM module is installed. This command configures a new uplink VLAN, VID 25, for the ACM module installed in slot n.
Configuring the Access Controller xl Module ACM Configuration Commands Summary and Syntax Command Configuration Context access-controller <slot-id> [no] access-controller <slot-id> client-ports [e] < port-list > [no] access-controller <slot-id> client-ports vlan < vlan-list > access-controller <slot-id> reload access-controller <slot-id> shutdown access-controller vlan-base <2-4094> Access Controller Context access-control-server ip <ip addr>...
VLAN vlan-base VID. For example, by default, the first time this com mand is used to assign a switch port to a client VLAN it becomes an untagged member of VLAN 2000. The next client VLAN configured takes the next available sequential VID, starting from the vlan-base.
Configuring the Access Controller xl Module Syntax: Syntax: Syntax: Syntax: Access Controller Context Command Syntax Syntax: [no] access-controller <slot-id> client-ports vlan < vlan-list > Configures client VLANs with the VIDs given, contain ing only the downlink port, (<slot-id>DP), as a tagged member.
Syntax: enable extended-commands Changes the CLI to the access controller extended com mands context. A limited set of commands from the 720wl CLI is provided here. See “Using the ACM’s Extended CLI” for more information. Syntax: exit Leaves the access controller context and returns the CLI to the global configuration context.
Displaying Access Controller xl Status from the 5300xl CLI Displaying Access Controller xl Status from the 5300xl CLI Show commands are available in both the configuration context and the access controller context of the 5300xl CLI. These commands display ACM status and configuration.
(a - h) Syntax: show access-controller vlans Displays the 802.1Q VID and Name of all configured client VLANs on the 5300xl switch. If two ACMs are installed, their client VLANs are presented in the list. ACM version information for support staff.
Displaying Access Controller xl Status from the 5300xl CLI Syntax: Access Controller Context Command Syntax Syntax: Syntax: show access-controller vlan-base Displays the starting VLAN ID (VID) for client VLANs configured by the access-controller <slot-id> client-ports < port-list > or the access-controller <slot-id> client-ports vlan <...
Access Control Server 740wl or Integrated Access Manager 760wl, using the Administrative Console. The Access Controller Module is managed in the same manner as a 720wl. For more information, see the HP ProCurve Secure Access 700wl Series Management and Configuration Guide, available on the CD shipped with the ACM, or from the ProCurve Networking Web site at http://www.hp.com/go/procurve.
Managing the ACM HPswitch(access-controller-id-ext)# The available commands are listed below. Detailed descriptions are found in Appendix A, “Command Line Interface” in the HP ProCurve Secure Access 700wl Series Management and Configuration Guide. Command [no] ip address <<ip-addr>/<1-32> | <ip-addr> <mask>>...
Command set dhcp <on | off> set dhcpserver <ip-addr> set dns <primary-ip-addr> [<secondary-ip-addr>] set domainname <domain> set forwardipbroadcasts <all | none | on <port> | off <port> | <port>> set gateway <ip-addr> set hostname <host> set ip <ip-addr> [<mask>] | <ip-addr>/<1-32> set logopt addcat <all | error | info | none | session>...
Return the 5300xl chassis to its factory default configuration using the Reset and Clear keys on the front panel. (Refer to “Clear/Reset: Resetting to the Factory Default Configuration” in the Trouble- shooting appendix of the Management and Configuration Guide for your switch.) This also resets the ACM.
Each ACM may have one downlink client port configured to support bridged protocols. HP recommends that a downlink client port be a member of only one client VLAN. Downlink client ports should not be members of any other VLANs, as this would allow access to unauthorized clients. If a...
BIOS POST Event Log Messages Slot <slot-id> Access Control Module Bios POST tests failed, Post bitmap = 0xXXXX The POST error bitmap values are explained below. IDE failure. 0x0001 0x0002 System memory failure. Shadow memory failure. 0x0004 Protected memory failure. 0x0020 CMOS not ready error.
BIOS POST Event Log Messages — This page is intentionally unused. —...
© 2005 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. March 2005 Manual Part Number 5991-2136...