cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
585
Views
0
Helpful
1
Replies
bierrrr.CC
Beginner

Dynamic vlans with multiple fallback-vlans?

I've got a problem with dynamic vlans. Trying to figure out configuration for the topology similar to the one in the picture.

I’ve got four vlans for PCs, one vlan per department. I have to add fifth vlan (50) for devices that can be connected to any of the three switches: A, B, C. these devices need to be on their own vlan, no matter to which switch they are connected to. On the other hand, PCs connected to any port on those switches should be assigned to appropriate vlan (10,20,30 or 40).

I was thinking about using dynamic vlans with list of mac addresses of devices that need to be on vlan 50 but not sure what to do with PCs. I don’t think I can use fallback vlan as I can set up only one fallback vlan for whole network and not per switch or port.

I cannot use list of mac addresses of all pcs as there’s simply too many of them (my network is way bigger than in the picture, I simplified it only to present the idea). I imagine I would need multiple fallback vlans for different switches.

Has anyone got any idea that could help me please? Maybe there’s some other and easier way?

1 REPLY 1
Elly Bornstein
Cisco Employee

In new software (for Cisco switches) we provide multiple fallbacks for MAC authentication (MAB):

1. 802.1x

2. web authentication

3. guest vlan (if no supplicant on the PC)

4. auth fail vlan (if radius denies you access)

So you could keep a list of MAC addresses for vlan 50 and do MAB for these devices if MAB fails you can use 802.1x for your PCs.

This will require configuring 802.1x supplicants on all PC (Windows comes preloaded with one) and maintaining a radius of users who are able to log into the network. A lot of people use their Active directory pre-existing database as a backend to store their usernames and passwords for user authentication with dot1x.

With using both dot1x and MAB you can now distinguish easily between two different processes and use your radius server to assign vlans based upon almost anything you can think of.

-Elly