Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1294
Views
0
Helpful
3
Replies

Configuring MAB with Dynamic VLANs

rhydlewis1
Level 1
Level 1

‎07-13-2015 04:02 AM - edited ‎03-08-2019 12:56 AM

Hi

New to the forum.

Working on project to set up MAB as authentication method used for allocation of dynamic vlans.

Some basics questions after some reading around:

Do I need Cisco ACS to implement this or can I use stand alone RADIUS server?

As I understand it only certain RADIUS servers offer local database authentication. Anyone recommend which RADIUS server to use for this?

How will dynamic vlan allocation handle hub with multiple users connected to managed port? I understand that the first MAC seen will dictate which VLAN is assigned to the port but what are the issues when the following situation could arise:

Node with MAC address in different VLAN to others on the hub gets patched in. I'm in a production environment where there will be unmanaged switches used off a managed switch. Nothing to stop users patching in nodes with potentially different VLAN associations.

What are the issues to be aware of?

Any help / guidance would be much appreciated.

Thanks

 

Labels:
0 Helpful
3 Replies 3

Tiago Marques
Level 1
Level 1

‎07-13-2015 07:39 AM

I recommend Cisco Ise for this case.

in your environment (environment where there will be unmanaged switches used off a managed switch) :

switches dont have proper managment but have vlans correct??how do you have interconnection of this switches?

0 Helpful

rhydlewis1
Level 1
Level 1
In response to Tiago Marques

‎07-13-2015 08:05 AM

Hi Tiago

Thanks for your response.

We have a combination of 2960 (access layer) and 3850 (Collapsed Core) all connected via 1 / 10 G combined Backbone. We will be running HSRP and I've a good handle on most of the config but I've not used MAB for Dynamic VLAN assignment, in fact I've not implemented Dynamic VLAN's using any method (802.1x) etc.

On the factory floor there are a number of unmanaged switches that will drop off the access layer switches. I'm concerned that there will be issues using MAB for VLAN authentication with this set up due to the unmanaged switches servicing multiple hosts. These hosts could potentially be a mixture of different vlans (all dropping off the 1 unmanaged switch).

I've heard a little about ISE but not really familiar with it. Can you advise?

Thanks

Rhydian

0 Helpful

Tiago Marques
Level 1
Level 1
In response to rhydlewis1

‎07-14-2015 02:25 AM

In my case I had a sw 3850 (CORE) and several 3560/2960 as access switches.
the VLANs were all created in 3850 and VTP SERVER configured.


The access switches had the vlan management enabled and the vtp mode client to the 3850...
the vlans was filtered in the uplinks.
The switches have configured a radius key common to ise.

In ISE I have groups of devices ,  "PC1 group = acces vlan 10", "PRT group = access vlan 20"...where it was registered the mac add of each device

then in the rules, i had several policies created ... and the logic was:

if Device is registered in the PC group, and packets come from the switches A, B, C, then allow access to the network 10.

thnks

 

0 Helpful
Customers Also Viewed These Support Documents