Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6861
Views
10
Helpful
4
Replies

VLAN Assignment (automatic)?

Go to solution
JohnNarey
Level 1
Level 1

‎03-05-2012 08:37 AM - edited ‎03-07-2019 05:21 AM

Hey everyone.

I am doing a university project designing a campus network and need some tips.

I have to create VLANs for different departments but also the users within those VLAN memberships have to be able to authenticate from any workstation on all 4 floors of the building. Is there a protocol I can configure to allow hot seating but also make sure the user is contained within the correct VLAN?

My configuration of campus network is:

2 distribution layer 3 switches - rapid-pvst, one root other primary.

2x48 port access layer switches on each of the 4 floors, each floor linked with dot1q to the distribution layer 3 switches (resiliency).

VTP configured on root distribution layer switch. And rest of switches client.

Thanks,

John N

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to John Blakley

‎03-05-2012 09:02 AM

Hello John and John ,

The VMPS option is absolutely viable, however, it is based on an older proprietary protocol called the VQP (VLAN Query Protocol) and a VMPS server which is, to my best knowledge, not available on IOS platforms. There are open source VMPS servers available, however - the FreeRADIUS package has an actively maintained VMPS implementation. Still, the VMPS solution assigns users to VLANs according to the station's MAC address, and that address is too easily spoofable.

Nevertheless, the proper way to do it would be to use the 802.1X with RADIUS or TACACS+ authentication where after successful authentication, the RADIUS/TACACS+ server sends the user's VLAN along with its reply, so the switch will always assign the user to his/her appropriate VLAN. See:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1289244

Still, I would try to avoid this idea if possible. VLANs "hunting" their users are more difficult to manage and troubleshoot, the resulting STP topology may not be as deterministic as with static VLAN assignment, and to be completely honest, even the 802.1X supplicant support in most operating systems is quite bad. If you absolutely need to implement this, you'll need to allocate a few days in a lab testing various operating system behavior during association with different VLANs etc.

Best regards,

Peter

View solution in original post

4 Replies 4

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎03-05-2012 08:50 AM

John,

There may be other ways to do it, but take a look at this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/vmps.html

I've never set this up btw...

HTH, John *** Please rate all useful posts ***

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to John Blakley

‎03-05-2012 09:02 AM

Hello John and John ,

The VMPS option is absolutely viable, however, it is based on an older proprietary protocol called the VQP (VLAN Query Protocol) and a VMPS server which is, to my best knowledge, not available on IOS platforms. There are open source VMPS servers available, however - the FreeRADIUS package has an actively maintained VMPS implementation. Still, the VMPS solution assigns users to VLANs according to the station's MAC address, and that address is too easily spoofable.

Nevertheless, the proper way to do it would be to use the 802.1X with RADIUS or TACACS+ authentication where after successful authentication, the RADIUS/TACACS+ server sends the user's VLAN along with its reply, so the switch will always assign the user to his/her appropriate VLAN. See:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1289244

Still, I would try to avoid this idea if possible. VLANs "hunting" their users are more difficult to manage and troubleshoot, the resulting STP topology may not be as deterministic as with static VLAN assignment, and to be completely honest, even the 802.1X supplicant support in most operating systems is quite bad. If you absolutely need to implement this, you'll need to allocate a few days in a lab testing various operating system behavior during association with different VLANs etc.

Best regards,

Peter

Go to solution
JohnNarey
Level 1
Level 1
In response to Peter Paluch

‎03-05-2012 10:18 AM

Thanks Peter that solution seems to tie in with what I require.

Does looks quite difficult though so I may be hard at work in the lab the coming days.

Regards,

John

0 Helpful

Go to solution
JohnNarey
Level 1
Level 1
In response to John Blakley

‎03-05-2012 10:17 AM

Thanks for the prompt reply.

As Peter said VMPS only assigns VLANs to the MAC of the NIC. My design specification needs the users to authenticate from anywhere and then have the VLAN attach to the host from the Access Layer Switch. RaduisServer 802.1x looks like the solution but does look quite difficult to configure.

Regards,

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card