Mac to VLAN mapping on Cisco switches

Discussion in 'Cisco' started by Martijn Lievaart, May 12, 2012.

  1. Hello,

    We are looking at ways to ease management of VLANs, and secure on basis
    of MAC address (yes I know, easily spoofed).

    After much googling, it seems that:

    - 802.1x has the potential to do what we want, but always needs a
    supplicant (agent) on the connecting device. As too many devices we use
    (a.o. thin clients) do not have this capability, this is out for now[1].
    Am I correct that for MAC based 802.1x vlan assignment, one always needs
    an agent on the device?

    - The other option would be VMPS. Open Source software can get the MAC/
    VLAN assignment from a database[2], but can Cisco software do similar? Do
    they even have a dedicated VMPS server, or is one stuck with downloading
    a file to the master switches?

    I hope I'm wrong, too many sites say that VMPS is deprecated in favor of
    802.1x. But requiring an agent on the end device is quite a big step. Why
    is there no middle ground between these two?


    [1] We'll be switching to 802.1x capable thin clients soon, so it may not
    be out completely.

    [2] Think CMDB. Not in CMDB => No access. In CMDB => department and
    requesting switch dictate VLAN.
    Martijn Lievaart, May 12, 2012
    1. Advertisements

  2. Most modern OSs have this built into the networking stack.
    Ie. Windows7/Mac OSX/Linux all do. I can't tell about your thin clients.

    VMPS was never fully supported by Cisco in the first place. Rumor was
    that some large customer wanted a solution (this was long before .1x)
    and cisco half-heartedly built something in. The VMPS server ran in
    a 6500 switch, there never was general server code outside of switch hardware..

    To say it is insecure is an understatement. Sniff, spoof and any VLAN
    hopping instantly done.

    Since .1x, whatever supported level of VMPS existed vanished, and it
    is kept around mainly in the platforms that had it just in a holding pattern.

    But, are you over generalizing this as a solution? There haven't been
    many locations where I'd even consider .1x. To me, it is a specialized
    solution to begin with.

    It all sounds neat, just edit radius to assign VLAN, but in reality,
    it is even easier to keep track of switch ports and edit which
    VLAN a given switch port is in and hard code it there. No security
    issues, no having to run extra stuff. I'd say 99.99% of the situations
    in which I find myself that this is the standard setup.

    keeping track of switch ports is easier than dealing with usernames
    and passwords.
    Doug McIntyre, May 12, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.