switch vlan question

Discussion in 'Cisco' started by Tom, Jan 19, 2010.

  1. Tom

    Tom Guest

    I'm looking for a solution that will cause a PC or device with known
    MAC address or possibly range of MAC addresses to connect to a
    specific VLAN based on the MAC address. Can that be done with the
    2900 series. If so will it required a specific IOS feature set?

    Thanks in advance.
    Tom, Jan 19, 2010
    #1
    1. Advertising

  2. Tom

    Tom Guest

    On Jan 19, 9:15 am, Tom <> wrote:
    > I'm looking for a solution that will cause a PC or device with known
    > MAC address or possibly range of MAC addresses to connect to a
    > specific VLAN based on the MAC address.  Can that be done with the
    > 2900 series.  If so will it required a specific IOS feature set?
    >
    > Thanks in advance.


    I looked into this a little more myself...

    Looks like this can be done via dynamic VLANs. Basically what I'd
    like to do is set unknown MAC addresses to default to VLAN1 and known
    MAC addresses go to a preassigned VLAN. This way if an unknown
    device is plugged into the switch it would not have full access to our
    network or systems.

    Is this a simple configuration supported by, for example, a 2960
    switch?

    If anyone has an example of the best way to do this it would be very
    helpful.

    Thanks in advance.
    Tom, Jan 19, 2010
    #2
    1. Advertising

  3. Tom

    bod43 Guest

    On 19 Jan, 14:15, Tom <> wrote:
    > I'm looking for a solution that will cause a PC or device with known
    > MAC address or possibly range of MAC addresses to connect to a
    > specific VLAN based on the MAC address.  Can that be done with the
    > 2900 series.  If so will it required a specific IOS feature set?
    >
    > Thanks in advance.


    Look up VMPS - may now be obsolete.

    Seems like you can also do this with EAP.

    Good discussion at -
    http://www.edugeek.net/forums/networks/10463-mac-based-vlan-allocation-procurve-switches-11x.html
    bod43, Jan 19, 2010
    #3
  4. Tom <> writes:
    >I'm looking for a solution that will cause a PC or device with known
    >MAC address or possibly range of MAC addresses to connect to a
    >specific VLAN based on the MAC address. Can that be done with the
    >2900 series. If so will it required a specific IOS feature set?


    Which 2900 series? Unfortunatly, there's 3 really different cisco
    devices that is a "2900". I assume its not the 2900 ISR2 router since
    you say switch in the subject line, although there are switch cards
    that can go into the 2900 ISR2. Then there's the C2924XL's, and the
    c2950's catalyst switches..


    You know that MAC addresses can be easily spoofed right? If this is a
    security setup, doing VLAN membership by MAC is going to be as easy to
    circumvent as the attacker finding out a legit MAC and configuring
    their system to be it, and then they are on the other VLAN.

    The secure supported configuration is to use 802.1X and a RADIUS
    server to assign VLANs based on secure authentication login info.

    But assuming the lowest common denominator, the c2924xl doesn't
    support 802.1x authentication, that came along later in the lifespan
    of cisco. But the c2950 does support 802.1x authentication.

    If you do really mean to do dynamic VLAN connections just by MAC
    address, Cisco did have a solution way back in the day called VMPS.

    You'd have to run up a daemon (OpenVMPS) on a *nix box, or dig up an
    old 6500/5000 that still had the VMPS server code on it (only a few
    hardware platforms did).

    If you do some searches on OpenVMPS you should be able to find it.

    Just don't expect it to be too secure with the ability of MAC spoofing
    readily available.

    Either way, you'll need to be running a server to hand out the info
    via whichever protocol you choose to use.
    Doug McIntyre, Jan 19, 2010
    #4
  5. Tom

    Tom Guest

    On Jan 19, 11:01 am, Doug McIntyre <> wrote:
    > Tom <> writes:
    > >I'm looking for a solution that will cause a PC or device with known
    > >MAC address or possibly range of MAC addresses to connect to a
    > >specific VLAN based on the MAC address.  Can that be done with the
    > >2900 series.  If so will it required a specific IOS feature set?

    >
    > Which 2900 series? Unfortunatly, there's 3 really different cisco
    > devices that is a "2900". I assume its not the 2900 ISR2 router since
    > you say switch in the subject line, although there are switch cards
    > that can go into the 2900 ISR2. Then there's the C2924XL's, and the
    > c2950's catalyst switches..
    >
    > You know that MAC addresses can be easily spoofed right? If this is a
    > security setup, doing VLAN membership by MAC is going to be as easy to
    > circumvent as the attacker finding out a legit MAC and configuring
    > their system to be it, and then they are on the other VLAN.
    >
    > The secure supported configuration is to use 802.1X and a RADIUS
    > server to assign VLANs based on secure authentication login info.
    >
    > But assuming the lowest common denominator, the c2924xl doesn't
    > support 802.1x authentication, that came along later in the lifespan
    > of cisco. But the c2950 does support 802.1x authentication.
    >
    > If you do really mean to do dynamic VLAN connections just by MAC
    > address, Cisco did have a solution way back in the day called VMPS.
    >
    > You'd have to run up a daemon (OpenVMPS) on a *nix box, or dig up an
    > old 6500/5000 that still had the VMPS server code on it (only a few
    > hardware platforms did).
    >
    > If you do some searches on OpenVMPS you should be able to find it.
    >
    > Just don't expect it to be too secure with the ability of MAC spoofing
    > readily available.
    >
    > Either way, you'll need to be running a server to hand out the info
    > via whichever protocol you choose to use.


    Thanks for the detailed response and pointing out MAC spoofing.

    We understand this will not be really secure because MAC's can be
    spoofed, however this is a small setup and we do not really need high
    security. Just the simple ability to assign a MAC to a VLAN.

    Can a simple MAC to VLAN mapping be done without VMPS?

    The switch we normally use is a Cisco 2960 with IOS 12.2(35)SE5.

    Thanks.
    Tom, Jan 19, 2010
    #5
  6. Tom

    Tom Guest

    On Jan 19, 11:17 am, Tom <> wrote:
    > On Jan 19, 11:01 am, Doug McIntyre <> wrote:
    >
    >
    >
    > > Tom <> writes:
    > > >I'm looking for a solution that will cause a PC or device with known
    > > >MAC address or possibly range of MAC addresses to connect to a
    > > >specific VLAN based on the MAC address.  Can that be done with the
    > > >2900 series.  If so will it required a specific IOS feature set?

    >
    > > Which 2900 series? Unfortunatly, there's 3 really different cisco
    > > devices that is a "2900". I assume its not the 2900 ISR2 router since
    > > you say switch in the subject line, although there are switch cards
    > > that can go into the 2900 ISR2. Then there's the C2924XL's, and the
    > > c2950's catalyst switches..

    >
    > > You know that MAC addresses can be easily spoofed right? If this is a
    > > security setup, doing VLAN membership by MAC is going to be as easy to
    > > circumvent as the attacker finding out a legit MAC and configuring
    > > their system to be it, and then they are on the other VLAN.

    >
    > > The secure supported configuration is to use 802.1X and a RADIUS
    > > server to assign VLANs based on secure authentication login info.

    >
    > > But assuming the lowest common denominator, the c2924xl doesn't
    > > support 802.1x authentication, that came along later in the lifespan
    > > of cisco. But the c2950 does support 802.1x authentication.

    >
    > > If you do really mean to do dynamic VLAN connections just by MAC
    > > address, Cisco did have a solution way back in the day called VMPS.

    >
    > > You'd have to run up a daemon (OpenVMPS) on a *nix box, or dig up an
    > > old 6500/5000 that still had the VMPS server code on it (only a few
    > > hardware platforms did).

    >
    > > If you do some searches on OpenVMPS you should be able to find it.

    >
    > > Just don't expect it to be too secure with the ability of MAC spoofing
    > > readily available.

    >
    > > Either way, you'll need to be running a server to hand out the info
    > > via whichever protocol you choose to use.

    >
    > Thanks for the detailed response and pointing out MAC spoofing.
    >
    > We understand this will not be really secure because MAC's can be
    > spoofed, however this is a small setup and we do not really need high
    > security.  Just the simple ability to assign a MAC to a VLAN.
    >
    > Can a simple MAC to VLAN mapping be done without VMPS?
    >
    > The switch we normally use is a Cisco 2960 with IOS 12.2(35)SE5.
    >
    > Thanks.


    I think I should change my questions slightly...I see that the 2960
    will supports VMPS client mode. Does that mean it will do the VLAN
    port assignments as a stand alone switch, or does it need another
    service or server?

    Basically I'm just trying to configure simple MAC based VLAN
    assignments.

    Thanks.
    Tom, Jan 19, 2010
    #6
  7. Tom <> writes:
    >> Can a simple MAC to VLAN mapping be done without VMPS?
    >> The switch we normally use is a Cisco 2960 with IOS 12.2(35)SE5.


    No.

    >I think I should change my questions slightly...I see that the 2960
    >will supports VMPS client mode. Does that mean it will do the VLAN
    >port assignments as a stand alone switch, or does it need another
    >service or server?


    VMPS (like RADIUS) requires an external server to give it the data.
    Originally it ran only on a few older chassis based switches, but they've
    reverse engineered the protocol into OpenVMPS as a standalone daemon
    on a *nix system.
    Doug McIntyre, Jan 19, 2010
    #7
  8. Tom

    Tom Guest

    On Jan 19, 12:52 pm, Doug McIntyre <> wrote:
    > Tom <> writes:
    > >> Can a simple MAC to VLAN mapping be done without VMPS?
    > >> The switch we normally use is a Cisco 2960 with IOS 12.2(35)SE5.

    >
    > No.
    >
    > >I think I should change my questions slightly...I see that the 2960
    > >will supports VMPS client mode.  Does that mean it will do the VLAN
    > >port assignments as a stand alone switch, or does it need another
    > >service or server?

    >
    > VMPS (like RADIUS) requires an external server to give it the data.
    > Originally it ran only on a few older chassis based switches, but they've
    > reverse engineered the protocol into OpenVMPS as a standalone daemon
    > on a *nix system.


    Thanks much!
    Tom, Jan 19, 2010
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul

    VLAN or Not to VLAN

    Paul, Oct 27, 2003, in forum: Cisco
    Replies:
    0
    Views:
    543
  2. PS2 gamer
    Replies:
    1
    Views:
    942
    Ivan Ostres
    May 28, 2004
  3. Phil Schuman
    Replies:
    3
    Views:
    897
    stephen
    Sep 4, 2006
  4. Phil Schuman
    Replies:
    3
    Views:
    5,368
    stephen
    Sep 4, 2006
  5. STandard

    2950 switch to switch question

    STandard, Jul 18, 2007, in forum: Cisco
    Replies:
    4
    Views:
    622
    Trendkill
    Jul 19, 2007
Loading...

Share This Page