Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Mac to VLAN mapping on Cisco switches (http://www.velocityreviews.com/forums/t946143-mac-to-vlan-mapping-on-cisco-switches.html)

Martijn Lievaart 05-11-2012 11:09 PM

Mac to VLAN mapping on Cisco switches
 
Hello,

We are looking at ways to ease management of VLANs, and secure on basis
of MAC address (yes I know, easily spoofed).

After much googling, it seems that:

- 802.1x has the potential to do what we want, but always needs a
supplicant (agent) on the connecting device. As too many devices we use
(a.o. thin clients) do not have this capability, this is out for now[1].
Am I correct that for MAC based 802.1x vlan assignment, one always needs
an agent on the device?

- The other option would be VMPS. Open Source software can get the MAC/
VLAN assignment from a database[2], but can Cisco software do similar? Do
they even have a dedicated VMPS server, or is one stuck with downloading
a file to the master switches?

I hope I'm wrong, too many sites say that VMPS is deprecated in favor of
802.1x. But requiring an agent on the end device is quite a big step. Why
is there no middle ground between these two?

TIA,
M4

[1] We'll be switching to 802.1x capable thin clients soon, so it may not
be out completely.

[2] Think CMDB. Not in CMDB => No access. In CMDB => department and
requesting switch dictate VLAN.

Doug McIntyre 05-12-2012 04:22 AM

Re: Mac to VLAN mapping on Cisco switches
 
Martijn Lievaart <m@rtij.nl.invlalid> writes:
>We are looking at ways to ease management of VLANs, and secure on basis
>of MAC address (yes I know, easily spoofed).


>After much googling, it seems that:


>- 802.1x has the potential to do what we want, but always needs a
>supplicant (agent) on the connecting device. As too many devices we use
>(a.o. thin clients) do not have this capability, this is out for now[1].
>Am I correct that for MAC based 802.1x vlan assignment, one always needs
>an agent on the device?


Most modern OSs have this built into the networking stack.
Ie. Windows7/Mac OSX/Linux all do. I can't tell about your thin clients.


>- The other option would be VMPS. Open Source software can get the MAC/
>VLAN assignment from a database[2], but can Cisco software do similar? Do
>they even have a dedicated VMPS server, or is one stuck with downloading
>a file to the master switches?


VMPS was never fully supported by Cisco in the first place. Rumor was
that some large customer wanted a solution (this was long before .1x)
and cisco half-heartedly built something in. The VMPS server ran in
a 6500 switch, there never was general server code outside of switch hardware..

To say it is insecure is an understatement. Sniff, spoof and any VLAN
hopping instantly done.

Since .1x, whatever supported level of VMPS existed vanished, and it
is kept around mainly in the platforms that had it just in a holding pattern.


But, are you over generalizing this as a solution? There haven't been
many locations where I'd even consider .1x. To me, it is a specialized
solution to begin with.

It all sounds neat, just edit radius to assign VLAN, but in reality,
it is even easier to keep track of switch ports and edit which
VLAN a given switch port is in and hard code it there. No security
issues, no having to run extra stuff. I'd say 99.99% of the situations
in which I find myself that this is the standard setup.

keeping track of switch ports is easier than dealing with usernames
and passwords.






All times are GMT. The time now is 09:17 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.