07-07-2005 08:00 AM - edited 03-09-2019 11:46 AM
Currently testing/piloting 802.1x on Catalyst 4506 and 2950 switches.
When setting a port for 802.1x and only to authenticate Single-Host, I notice that guest virtual machines (vmWare) running on a host machine are still able to pass traffic when the guest virtual machine is configured as a NAT-machine.
If the guest virtual machine is configured as a BRIDGED machine, which is usually default and the most common way people use virutal machines to participate on the network, then traffic is not passed. Only the host machine can pass traffic, which is the desired behavior.
But this does still does not remedy the situation in which someone has configured a virutal machine in NAT-mode, basically sharing the IP address of the host machine, "sitting behind the host machine". Like a router, or Internet Connection Sharing (a wonder if the same behavior would occur?).
Another thought, though...802.1x is working on layer 2 so why is this even an issue? The virtual machines do indeed have their own MAC addresses, so why is 802.1x failing and still allowing traffic to be passed on a port configured only for Single-Host?
Doesn't this pose a security risk for those trying to use 802.1x for network access management?
07-07-2005 09:52 AM
By default, 802.1x is enforced on a port via the MAC address that got authenticated. In other words, if another MAC shows up on a port, it won't work. If another MAC doesn't show up on the port, it works.
Does this help?
07-07-2005 10:18 AM
Okay, so why in the situation where I have a vmWare virtual machine (guest) running on my physical (host) and configured where the virtual machine (guest) is being NATed through my physical (host) machine, the virutal machine is still able to pass traffic through the authenticated port?
The virtual machine has its own "virtual" MAC address, the port should see this and not allow traffic from this machine to pass, correct?
Or is it it different since the traffic is being being routed via NAT?
07-07-2005 12:52 PM
Without 802.1x, how many MAC Addresses appear on the wire to the switch port?
07-08-2005 09:18 AM
without 802.1x only one MAC address appears when the virtual machine is in NAT mode.
when the virtual machine is configured in BRIDGED mode, 2 MAC addresses appear on the port.
so in general, does this mean when a NAT device is connected to a layer 2 switch port, only 1 MAC address, the address of the NAT device appears in the MAC table?
even if there a multiple machines/devices behind the NAT device?
07-08-2005 10:47 AM
sho mac-address-table interface
sho cam dyn/stat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide