Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Mac to VLAN mapping on Cisco switches

Reply
Thread Tools

Mac to VLAN mapping on Cisco switches

 
 
Martijn Lievaart
Guest
Posts: n/a
 
      05-11-2012
Hello,

We are looking at ways to ease management of VLANs, and secure on basis
of MAC address (yes I know, easily spoofed).

After much googling, it seems that:

- 802.1x has the potential to do what we want, but always needs a
supplicant (agent) on the connecting device. As too many devices we use
(a.o. thin clients) do not have this capability, this is out for now[1].
Am I correct that for MAC based 802.1x vlan assignment, one always needs
an agent on the device?

- The other option would be VMPS. Open Source software can get the MAC/
VLAN assignment from a database[2], but can Cisco software do similar? Do
they even have a dedicated VMPS server, or is one stuck with downloading
a file to the master switches?

I hope I'm wrong, too many sites say that VMPS is deprecated in favor of
802.1x. But requiring an agent on the end device is quite a big step. Why
is there no middle ground between these two?

TIA,
M4

[1] We'll be switching to 802.1x capable thin clients soon, so it may not
be out completely.

[2] Think CMDB. Not in CMDB => No access. In CMDB => department and
requesting switch dictate VLAN.
 
Reply With Quote
 
 
 
 
Doug McIntyre
Guest
Posts: n/a
 
      05-12-2012
Martijn Lievaart <(E-Mail Removed)> writes:
>We are looking at ways to ease management of VLANs, and secure on basis
>of MAC address (yes I know, easily spoofed).


>After much googling, it seems that:


>- 802.1x has the potential to do what we want, but always needs a
>supplicant (agent) on the connecting device. As too many devices we use
>(a.o. thin clients) do not have this capability, this is out for now[1].
>Am I correct that for MAC based 802.1x vlan assignment, one always needs
>an agent on the device?


Most modern OSs have this built into the networking stack.
Ie. Windows7/Mac OSX/Linux all do. I can't tell about your thin clients.


>- The other option would be VMPS. Open Source software can get the MAC/
>VLAN assignment from a database[2], but can Cisco software do similar? Do
>they even have a dedicated VMPS server, or is one stuck with downloading
>a file to the master switches?


VMPS was never fully supported by Cisco in the first place. Rumor was
that some large customer wanted a solution (this was long before .1x)
and cisco half-heartedly built something in. The VMPS server ran in
a 6500 switch, there never was general server code outside of switch hardware..

To say it is insecure is an understatement. Sniff, spoof and any VLAN
hopping instantly done.

Since .1x, whatever supported level of VMPS existed vanished, and it
is kept around mainly in the platforms that had it just in a holding pattern.


But, are you over generalizing this as a solution? There haven't been
many locations where I'd even consider .1x. To me, it is a specialized
solution to begin with.

It all sounds neat, just edit radius to assign VLAN, but in reality,
it is even easier to keep track of switch ports and edit which
VLAN a given switch port is in and hard code it there. No security
issues, no having to run extra stuff. I'd say 99.99% of the situations
in which I find myself that this is the standard setup.

keeping track of switch ports is easier than dealing with usernames
and passwords.




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco Switches vs HP ProCurve Switches Greg Cisco 5 07-01-2013 01:48 AM
Voice Vlan on Cisco XL 3548 switches bniraula Cisco 1 06-07-2010 01:59 PM
Allied Telesyn and Cisco Switches VLAN's flamer die.spam@hotmail.com Cisco 3 08-06-2007 03:22 AM
Cisco Switches with ACL's between VLAN's and windows servers chart@homesoc.com Cisco 1 10-26-2005 04:39 PM
native vlan mismatch on 2 2924 switches w/ only 1 vlan defined (same on both switches) avraham shir-el Cisco 4 07-20-2004 08:08 AM



Advertisments