switch vlan question
in [Cisco]
|
From: Tom on 19 Jan 2010 11:27 On Jan 19, 11:17 am, Tom <tdenham...(a)gmail.com> wrote: > On Jan 19, 11:01 am, Doug McIntyre <mer...(a)geeks.org> wrote: > > > > > Tom <tdenham...(a)gmail.com> writes: > > >I'm looking for a solution that will cause a PC or device with known > > >MAC address or possibly range of MAC addresses to connect to a > > >specific VLAN based on the MAC address. Can that be done with the > > >2900 series. If so will it required a specific IOS feature set? > > > Which 2900 series? Unfortunatly, there's 3 really different cisco > > devices that is a "2900". I assume its not the 2900 ISR2 router since > > you say switch in the subject line, although there are switch cards > > that can go into the 2900 ISR2. Then there's the C2924XL's, and the > > c2950's catalyst switches.. > > > You know that MAC addresses can be easily spoofed right? If this is a > > security setup, doing VLAN membership by MAC is going to be as easy to > > circumvent as the attacker finding out a legit MAC and configuring > > their system to be it, and then they are on the other VLAN. > > > The secure supported configuration is to use 802.1X and a RADIUS > > server to assign VLANs based on secure authentication login info. > > > But assuming the lowest common denominator, the c2924xl doesn't > > support 802.1x authentication, that came along later in the lifespan > > of cisco. But the c2950 does support 802.1x authentication. > > > If you do really mean to do dynamic VLAN connections just by MAC > > address, Cisco did have a solution way back in the day called VMPS. > > > You'd have to run up a daemon (OpenVMPS) on a *nix box, or dig up an > > old 6500/5000 that still had the VMPS server code on it (only a few > > hardware platforms did). > > > If you do some searches on OpenVMPS you should be able to find it. > > > Just don't expect it to be too secure with the ability of MAC spoofing > > readily available. > > > Either way, you'll need to be running a server to hand out the info > > via whichever protocol you choose to use. > > Thanks for the detailed response and pointing out MAC spoofing. > > We understand this will not be really secure because MAC's can be > spoofed, however this is a small setup and we do not really need high > security. Just the simple ability to assign a MAC to a VLAN. > > Can a simple MAC to VLAN mapping be done without VMPS? > > The switch we normally use is a Cisco 2960 with IOS 12.2(35)SE5. > > Thanks. I think I should change my questions slightly...I see that the 2960 will supports VMPS client mode. Does that mean it will do the VLAN port assignments as a stand alone switch, or does it need another service or server? Basically I'm just trying to configure simple MAC based VLAN assignments. Thanks.
From: Doug McIntyre on 19 Jan 2010 12:52 Tom <tdenham735(a)gmail.com> writes: >> Can a simple MAC to VLAN mapping be done without VMPS? >> The switch we normally use is a Cisco 2960 with IOS 12.2(35)SE5. No. >I think I should change my questions slightly...I see that the 2960 >will supports VMPS client mode. Does that mean it will do the VLAN >port assignments as a stand alone switch, or does it need another >service or server? VMPS (like RADIUS) requires an external server to give it the data. Originally it ran only on a few older chassis based switches, but they've reverse engineered the protocol into OpenVMPS as a standalone daemon on a *nix system.
From: Tom on 19 Jan 2010 13:45
On Jan 19, 12:52 pm, Doug McIntyre <mer...(a)geeks.org> wrote: > Tom <tdenham...(a)gmail.com> writes: > >> Can a simple MAC to VLAN mapping be done without VMPS? > >> The switch we normally use is a Cisco 2960 with IOS 12.2(35)SE5. > > No. > > >I think I should change my questions slightly...I see that the 2960 > >will supports VMPS client mode. Does that mean it will do the VLAN > >port assignments as a stand alone switch, or does it need another > >service or server? > > VMPS (like RADIUS) requires an external server to give it the data. > Originally it ran only on a few older chassis based switches, but they've > reverse engineered the protocol into OpenVMPS as a standalone daemon > on a *nix system. Thanks much! |