Vlans
in [Cisco]
|
Prev: SSL VPN
Next: Config T1 with routed block
From: Supersleuth on 15 Sep 2009 08:44 I am using 3560 switches in a large school network I want to create 3 Vlans 1: Students 2: staff 3: Guests Some of the wired ports could have any of those plug in Is it possible to assgin them to a Vlan by the MAC address or the login in details Also for wireless AP's can I make different SSID's for each Vlan any help with this most welcome Cheers
From: Doug McIntyre on 15 Sep 2009 09:09 Supersleuth <np121(a)hotmail.com> writes: >I am using 3560 switches in a large school network >I want to create 3 Vlans >1: Students >2: staff >3: Guests >Some of the wired ports could have any of those plug in >Is it possible to assgin them to a Vlan by the MAC address or the >login in details That would be VMPS. Cisco barely supported it (rumor was that one large customer wanted it, and Cisco tried to talk them out of it, but still delivered it until something better came along). Its a security risk, and setting up a server is interesting (most likely you'd have to search out the opensource version to run on a unix machine. Even then, I'm not sure if the 3560 still supports it). If you have high-school students, I would not put it past them to be able to get around VMPS security, its fairly easy to spoof MAC addresses. Much better would be to run its secure replacement, 802.1x, which would get the login data through RADIUS, and most RADIUS servers support it, and the 3560 does as well. You can google many articles on setting up 802.1x. >Also for wireless AP's can I make different SSID's for each Vlan >any help with this most welcome You can with Cisco AP gear. Support for this is straightforward. Basic settup is to map a SSID to each VLAN. You can also setup 802.1x on the cisco AP and assign the VLAN through the RADIUS login if you want. Other vendors of APs don't necessarily support these features, you'd most likely have to have 3 different APs, one for each VLAN if you aren't using cisco here.
From: Supersleuth on 15 Sep 2009 15:11 I am going to use all Cisco gear. Never done a radius server before but do have nagios running on fedora 11 Is it ok to use the same server or will it be better to make a new server just for radius what software would I be best with, preferably something that doesnt need masses of re-progamming as im not a programmer On 15 Sep 2009 13:09:04 GMT, Doug McIntyre <merlyn(a)geeks.org> wrote: >Supersleuth <np121(a)hotmail.com> writes: >>I am using 3560 switches in a large school network > >>I want to create 3 Vlans >>1: Students >>2: staff >>3: Guests > >>Some of the wired ports could have any of those plug in > >>Is it possible to assgin them to a Vlan by the MAC address or the >>login in details > >That would be VMPS. Cisco barely supported it (rumor was that one >large customer wanted it, and Cisco tried to talk them out of it, but >still delivered it until something better came along). Its a >security risk, and setting up a server is interesting (most likely >you'd have to search out the opensource version to run on a unix machine. >Even then, I'm not sure if the 3560 still supports it). > >If you have high-school students, I would not put it past them to be >able to get around VMPS security, its fairly easy to spoof MAC addresses. > >Much better would be to run its secure replacement, 802.1x, which >would get the login data through RADIUS, and most RADIUS servers >support it, and the 3560 does as well. You can google many articles on >setting up 802.1x. > > >>Also for wireless AP's can I make different SSID's for each Vlan >>any help with this most welcome > >You can with Cisco AP gear. Support for this is straightforward. Basic >settup is to map a SSID to each VLAN. You can also setup 802.1x on the >cisco AP and assign the VLAN through the RADIUS login if you want. > >Other vendors of APs don't necessarily support these features, you'd >most likely have to have 3 different APs, one for each VLAN if you >aren't using cisco here.
From: Doug McIntyre on 15 Sep 2009 15:56 Supersleuth <np121(a)hotmail.com> writes: >I am going to use all Cisco gear. >Never done a radius server before but do have nagios running on >fedora 11 >Is it ok to use the same server or will it be better to make a new >server just for radius Yes, you could run RADIUS and something else on the same server. Its not very much traffic. This is more determined by your internal security policies than CPU load or needing resources. >what software would I be best with, preferably something that doesnt >need masses of re-progamming as im not a programmer There's many choices. One would be FreeRADIUS. It'll need to be fed configs via text files much like Nagios or other Unix software packages. Cisco has their own RADIUS appliance as well if you want pretty GUI and it supporting things out of the box with virtually no work. But you pay for those features. Plenty of other RADIUS software server vendors as well. Some pay, some freeware.
From: Supersleuth on 16 Sep 2009 04:19
having a look at freeRADIUS thanks Can I use radius to authenticate ALL users wired and wireless I know what users I have and what Vlans i want them on its just i dont know where they will get their connection from it can change several times a day for students as they move from lesson to lesson On 15 Sep 2009 19:56:28 GMT, Doug McIntyre <merlyn(a)geeks.org> wrote: >Supersleuth <np121(a)hotmail.com> writes: >>I am going to use all Cisco gear. > >>Never done a radius server before but do have nagios running on >>fedora 11 > >>Is it ok to use the same server or will it be better to make a new >>server just for radius > > > >Yes, you could run RADIUS and something else on the same server. Its >not very much traffic. This is more determined by your internal >security policies than CPU load or needing resources. > > >>what software would I be best with, preferably something that doesnt >>need masses of re-progamming as im not a programmer > >There's many choices. One would be FreeRADIUS. It'll need to be fed >configs via text files much like Nagios or other Unix software packages. > >Cisco has their own RADIUS appliance as well if you want pretty GUI >and it supporting things out of the box with virtually no work. But >you pay for those features. Plenty of other RADIUS software server >vendors as well. Some pay, some freeware. |