cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4142
Views
15
Helpful
6
Replies

Dynamic VLAN assignment

mastek_india
Level 1
Level 1

Hello There, 

We are using Cisco 6500 Series Switches as Core L3 switch in our network. We have different VLANs created for different customer based Projects.
Currerntly we are assigning VLAN manually on switchport. So whenever new users joins a perticular project or existing users shifts his location we have to manaully assign the VLAN accordingly. 
Our management wants to automate this process. I have someknowledge about Dynamic VLAN assigment using CISCO ISE. 
But before I can propose my solution, I need few details from all of you guys.

1. Is dynamic VLAN assignment is widely used in IT industry?

2. Should VLAN assignment be based on UserID or MAC ID? I prefer User based assignment but our infosec team disagrees and they want MAC based authentication? Which type is mostly used in current industry?

Looking for your replies. 

Thanks

Amod 

6 Replies 6

Seb Rupik
VIP Alumni
VIP Alumni

Hi Amod,

On our campus network using 802.1x o the wired network has always been kept at arms reach by the operations team. I've configured and had success in deploying it to CS department labs where the users are more understand of the technology and know what a supplicant is!

Regarding the second point, I'd be concerned by your infosec team suggesting authentication based (ISE MAB) on an identifier that can be easily spoofed!! userID should be your preferred identifier.

cheers,

Seb.

Thanks Seb for the reply. 

It is common using dot1x and ISE or ACS for VLAN assigment in mobile network such as Wireless, but it has its own drawbacks. It will cause more problem if it is implemented for everyone.

First , you will get involved with a lot of troubleshooting in access network. Each user needs to use username and password for network authentication resulting issue for network administrator. Authentication can be mixed with active directory but still lots of work.

Second, you need to span all VLANs to all switches, because a user can access the network from anywhere. It leads to security concern and also more L2 traffic over the trunk; however, without VLAN assigment, each switch is limited to several numbers of VLANs so traffic of other VLANs are not allowed on the Trunk.

I suggest you limit VLAN assigment to only some groups of users such as managers and only in limited areas.

Hope it helps,

Masoud

Peter Paluch
Cisco Employee
Cisco Employee

Hi Amod,

In addition to very nice Seb Rupik's answers, these are my thoughts:

Dynamic VLAN assignment is a nice idea but it does not seem to be widely deployed nowadays. These are the reasons I consider it to be problematic:

  • It requires you to create the same set of VLANs on all switches where a prospective user might move to which defeats the whole idea of local VLANs. Just to explain the terminology, local VLANs refers to the style of using VLANs where VLANs are created only on those access layer switches where corresponding clients are connected, and these VLANs are bounded by the access layer switches on the "bottom" of the network topology and by distribution layer switches at the "middle" of the network topology, and they never, ever, cross the distribution layer switches to the core at the "top" or to distribution layer switches in other buildings.
  • I recall issues with 802.1X implementations where client machines obtain their IP address during their bootup before the user has logged in yet, and after he/she logs in and the ports moves to a different VLAN, the operating system forgets to release the existing IP address and request a new one.
  • By the nature of clients coming, moving and leaving, the active topology of dynamically assigned VLANs is in constant flux and keeps changing as clients come and go. This may make troubleshooting cumbersome and complicated if any VLAN, or the traffic in it, starts misbehaving.

Regarding the choice of User ID vs. MAC ID, I personally consider the User ID to be much more preferable, as the MAC address can be spoofed easily. Alternatively, you could consider using a certificate-based authentication. I would assume - though I have never deployed it myself - that the computer operating system can be configured to present the same certificate when logging into network, regardless of the user working on that PC. These certificates would effectively be issued to PCs, not to users. They would thus replace the MAC-based address authentication without the risk of spoofing it so easily.

Best regards,
Peter

Jamie Reid
Level 1
Level 1

Hi Amod,

We currently have deployed dynamic vlan assignment (using FreeRadius, but we are currently in early days of investigating ISE where we are having some success) across 90 sites (~25k users) using local vlans per site. Instead of sending the vlan id back, we send the vlan name. Ie. instead of sending 1701, we send "Staff" or "Student". This enables each site to have local vlans, but also for the 802.1x solution to be as generic as possible.

We primarily rely on user auth, but there are some instances where we rely on mac based authentication (mostly printers and other devices that don't support 802.1x authentication) as a fall back method.

It's definitely a workable and good solution to the problems we were facing when we implemented it.

Let me know if you want any more details :)

-J

Jamie,

Instead of sending the vlan id back, we send the vlan name. Ie. instead of sending 1701, we send "Staff" or "Student". This enables each site to have local vlans, but also for the 802.1x solution to be as generic as possible.

A very nice idea!

Best regards,
Peter