Re: Mac to VLAN mapping on Cisco switches

Martijn Lievaart <m@xxxxxxxxxxxxxxxx> writes:
We are looking at ways to ease management of VLANs, and secure on basis
of MAC address (yes I know, easily spoofed).

After much googling, it seems that:

- 802.1x has the potential to do what we want, but always needs a
supplicant (agent) on the connecting device. As too many devices we use
(a.o. thin clients) do not have this capability, this is out for now[1].
Am I correct that for MAC based 802.1x vlan assignment, one always needs
an agent on the device?

Most modern OSs have this built into the networking stack.
Ie. Windows7/Mac OSX/Linux all do. I can't tell about your thin clients.


- The other option would be VMPS. Open Source software can get the MAC/
VLAN assignment from a database[2], but can Cisco software do similar? Do
they even have a dedicated VMPS server, or is one stuck with downloading
a file to the master switches?

VMPS was never fully supported by Cisco in the first place. Rumor was
that some large customer wanted a solution (this was long before .1x)
and cisco half-heartedly built something in. The VMPS server ran in
a 6500 switch, there never was general server code outside of switch hardware..

To say it is insecure is an understatement. Sniff, spoof and any VLAN
hopping instantly done.

Since .1x, whatever supported level of VMPS existed vanished, and it
is kept around mainly in the platforms that had it just in a holding pattern.


But, are you over generalizing this as a solution? There haven't been
many locations where I'd even consider .1x. To me, it is a specialized
solution to begin with.

It all sounds neat, just edit radius to assign VLAN, but in reality,
it is even easier to keep track of switch ports and edit which
VLAN a given switch port is in and hard code it there. No security
issues, no having to run extra stuff. I'd say 99.99% of the situations
in which I find myself that this is the standard setup.

keeping track of switch ports is easier than dealing with usernames
and passwords.




.

Relevant Pages

  • DHCP related problem.
    ... scopes to cater to these VLAN"s. ... I have defined Some switch ports in VLAN 2 and rest remains in VLAN 1. ... We have cleared once the whole DHCP scope bu the problem persists. ...
    (microsoft.public.win2000.networking)
  • Re: VLANs for a DORM to isolate rooms from each other?
    ... > However I would not suggest using a VLAN per switch ports, ... > traffic from machine even within the same VLAN. ... Actually, money is a problem. ... spell CISCO without being charged $10 for it:) ...
    (comp.security.firewalls)
  • Re: VLANs for a DORM to isolate rooms from each other?
    ... >>However I would not suggest using a VLAN per switch ports, ... >>switch is also a router therefore you can always setup ACL's to restrict ... >>traffic from machine even within the same VLAN. ... > Actually, money is a problem. ...
    (comp.security.firewalls)
  • Re: assigning MAC address to a VLAN
    ... There are port based VLANs in which you specify the switch ports to associate with a given VLAN. ... Devices connected to those ports will be in a common VLAN. ... There are MAC address based VLAN's where you associate the MAC addresses of hosts with the VLAN. ...
    (comp.dcom.lans.ethernet)
  • Re: assigning MAC address to a VLAN
    ... There are port based VLANs in which you specify the switch ports to ... associate with a given VLAN. ... MAC addresses of hosts with the VLAN. ...
    (comp.dcom.lans.ethernet)