MAC-based Ethernet VLANs

Discussion in 'Cisco' started by Matthew X. Economou, Sep 19, 2007.

  1. How does one go about implementing MAC-based Ethernet VLANs on
    relatively modern Cisco switches? We'd like to implement MAC-based
    Ethernet VLANs using Cisco 2900-series switches running IOS 12.1. Our
    goal is to register the Ethernet MAC addresses of authorized systems
    to a VLAN with unrestricted network connectivity, while unauthorized
    (and unregistered) devices are left in the default VLAN, which acts as
    a quarantine. We've searched through Cisco's online documentation and
    through this group's archives, but all we've found are references to
    something called VMPS. We are aware of other network admission
    control/quarantine systems (e.g., 802.1x, DHCP-based quarantines), but
    we don't currently have the financial or technical capital to
    implement them. We are also aware of some of the problems with such a
    configuration (especially with respect to broadcast traffic), but in
    our case, it isn't feasible to define this VLAN by physical switch
    port (some of which are downlinks to unmanaged bridges and hubs).

    By way of comparison, I implemented this on an old Nortel Passport
    1051 switch with commands similar to the following:

    config vlan 10 bysrcmac 1
    config vlan 10 srcmac add 00:11:22:33:44:55

    where "10" is the VLAN ID and "1" is the spanning tree group ID. The
    second command shows how one would add a device to the "whitelist"
    VLAN. The router is connected to switch port 3/1, which has tagging
    enabled and is a member of both the default VLAN and of this new VLAN,
    which I configured using commands similar to the following:

    config ethernet 3/1 perform-tagging enable
    config vlan 10 port add 3/1 member static

    The router is VLAN-aware and provides limited Internet access for
    devices in the default (now quarantine) VLAN. All other switch ports
    are untagged, so that any Ethernet packets inbound on those ports will
    get tagged as VLAN 10 upon ingress, if the source MAC address matches
    the list programmed into the VLAN definition. DHCP works properly
    within this VLAN as well, though I've heard that this can be
    problematic in MAC-based VLANs.

    Any help (even pointers to the relevant documentation) would be
    greatly appreciated.

    Best wishes,
    Matthew

    --
    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?
     
    Matthew X. Economou, Sep 19, 2007
    #1
    1. Advertising

  2. On Sep 19, 2:06 pm, "Matthew X. Economou" <>
    wrote:
    > How does one go about implementing MAC-based Ethernet VLANs on
    > relatively modern Cisco switches? We'd like to implement MAC-based
    > Ethernet VLANs using Cisco 2900-series switches running IOS 12.1. Our
    > goal is to register the Ethernet MAC addresses of authorized systems
    > to a VLAN with unrestricted network connectivity, while unauthorized
    > (and unregistered) devices are left in the default VLAN, which acts as
    > a quarantine. We've searched through Cisco's online documentation and
    > through this group's archives, but all we've found are references to
    > something called VMPS. We are aware of other network admission
    > control/quarantine systems (e.g., 802.1x, DHCP-based quarantines), but
    > we don't currently have the financial or technical capital to
    > implement them. We are also aware of some of the problems with such a
    > configuration (especially with respect to broadcast traffic), but in
    > our case, it isn't feasible to define this VLAN by physical switch
    > port (some of which are downlinks to unmanaged bridges and hubs).
    >
    > By way of comparison, I implemented this on an old Nortel Passport
    > 1051 switch with commands similar to the following:
    >
    > config vlan 10 bysrcmac 1
    > config vlan 10 srcmac add 00:11:22:33:44:55
    >
    > where "10" is the VLAN ID and "1" is the spanning tree group ID. The
    > second command shows how one would add a device to the "whitelist"
    > VLAN. The router is connected to switch port 3/1, which has tagging
    > enabled and is a member of both the default VLAN and of this new VLAN,
    > which I configured using commands similar to the following:
    >
    > config ethernet 3/1 perform-tagging enable
    > config vlan 10 port add 3/1 member static
    >
    > The router is VLAN-aware and provides limited Internet access for
    > devices in the default (now quarantine) VLAN. All other switch ports
    > are untagged, so that any Ethernet packets inbound on those ports will
    > get tagged as VLAN 10 upon ingress, if the source MAC address matches
    > the list programmed into the VLAN definition. DHCP works properly
    > within this VLAN as well, though I've heard that this can be
    > problematic in MAC-based VLANs.
    >
    > Any help (even pointers to the relevant documentation) would be
    > greatly appreciated.
    >
    > Best wishes,
    > Matthew
    >
    > --
    > A: Because it messes up the order in which people normally read text.
    > Q: Why is top-posting such a bad thing?


    I've never used MAC based VLAN's myself, but I think that I remember
    reading that the VMPS has to be on a 4500 or 6500 switch. The VMPS is
    what actually has the database of which MAC addresses go to which
    VLAN. The other switches then ask that switch what VLAN they need to
    put the client on. So, I don't *think* that you can implement it if
    you only have 2900 series switches.

    Here are a couple of webpages that talk about which switches can run
    the VMPS:
    http://www.firewall.cx/vlans-designing-vlans-dynamic-vlans.php
    (halfway down, under Choosing Correct Switches) and
    http://www.supinfo-projects.com/cn/2005/vmps_us/1/ (near the bottom,
    under Hardware and Software Necessary).

    You could use the 2900 switches to actually connect the clients, but
    you would have to have a higher-end switch to control the dynamic MAC
    based VLAN's.

    Oliver
     
    Oliver Garraux, Sep 19, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    2
    Views:
    1,054
  2. prosthetic head
    Replies:
    3
    Views:
    3,579
    Hansang Bae
    Mar 5, 2004
  3. Sasha

    Layer 3 based VLANs

    Sasha, May 6, 2004, in forum: Cisco
    Replies:
    4
    Views:
    871
    Sasha
    May 7, 2004
  4. Replies:
    0
    Views:
    577
  5. punisher
    Replies:
    2
    Views:
    2,090
    Charles Deling
    Nov 17, 2005
Loading...

Share This Page