Ethernet Switches & Routers

Reply
Mel
Contributor
Posts: 63
Registered: ‎10-16-2010

MAC-based Dynamic VLAN Assignment

I have a client who has a requirement for MAC-based Dynamic VLAN assignment. For example, a user plugs into the network and gets authenticated and placed in a VLAN based on their MAC address. This allows them to plug into any switch port in the fabric and get on the right VLAN.

I know the FCX switches support dot1x and that this functionality can be attained by leveraging dot1x.

I need specifics, however, regarding what will happen when a supplicant tries to access but is indeed unauthorized, and secondly when a client is connected to a switch port but does NOT have supplicant software (like a printer or whatever). I know there are different things that can be done, such as guest VLANs and quarantined VLANs.

I have read the Brocade configuration guide, but its a little unclear - at least to me it is.

Can someone with actual experience and/or a full understanding of the functionality answer my questions?

If I can convince the client that Brocade meets their requirements, it can meana great deal of business for Brocade!

Thanks!

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: MAC-based Dynamic VLAN Assignment

Hi PWBF,

     Yes, you can use dot1.x for dymanic port based VLAN assignment (the VLAN is passed to the switch from the RADIUS server

)

     You can configure what you want to happen when a client failes to provide the correct login information and this is also true for a device that cannot login at a

You can have the client sent to a restructed vlan - example below.

FastIron(config-if-e100-3/1)#dot1x auth-fail-action restrict-vlan 100

You also need to think about what happen when the switch cannot contact the RADIUS server/s - you have two choices - fail open or closed.

Printers and the like will need to be looked at a bit different.  Possible options include;

     1. have all printers LAN connected to a single switch and that switch then connects into the dot1.x infrastructor

     2. give them their own VLAN that dose not have dot1.x and use acl's controll access

     3. Use the restricted VLAN

Hope that helps you some.

Mel
Contributor
Posts: 63
Registered: ‎10-16-2010

Re: MAC-based Dynamic VLAN Assignment

Ms Chipp:

Good stuff, thank you very much.

I need to be clear on a few things. I know that with dot1x, which Brocade switches support, a client (supplicant) can be authenticated, using their username and password, and then placed in a VLAN. The authentication server (RADIUS server) is what is doing the authentication and the placement of a client in a VLAN group.

That having been said, what I need is for a client to be placed in a VLAN based on their MAC address, similar to Cisco's old VMPS system. However, whenever I read about dot1x authentication and dynamic VLAN assignment, it is always about authenticating a client based on their username and password (they even show you how to set the supplicant up in Windows), never on their MAC address.

Can you help me with this?

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: MAC-based Dynamic VLAN Assignment

Hi,

     I think is what you are after.  See PDF page 709 - manual page 651 of FastIron 7.2 config guide.

Overview

The MAC-based VLAN feature controls network access by authenticating a host source MAC address, and mapping the incoming packet source MAC to a VLAN. Mapping is based on the MAC address of the end station connected to the physical port. Users who relocate can remain on the same VLAN as long as they connect to any switch in the same domain, on a port which is permitted in the VLAN. The MAC-based VLAN feature may be enabled for two types of hosts: static and dynamic.

MAC-based VLAN activity is determined by authentication through a RADIUS server. Incoming traffic that originates from a specific MAC address is forwarded only if the source MAC address-to-VLAN mapping is successfully authenticated. While multi-device port authentication is in progress, all traffic from the new MAC address will be blocked or dropped until the authentication succeeds. Traffic is dropped if the authentication fails.

Also please check to make sure that none of the below are a problem for you.

Configuration notes and feature limitations

The following guidelines apply to MAC-based VLAN configurations:
• MAC-based VLAN is not currently supported for trunk ports and LACP.
• MAC-based VLAN is not supported for VLAN groups, topology groups and dual-mode configuration.
• MAC-based VLAN is not supported together with ACLs or MAC address filters.
• FastIron devices do not support UDLD link-keepalives on ports with MAC-based VLAN enabled.
• FastIron devices do not support STP BPDU packets on ports with MAC-based VLAN enabled.
• MAC-to-VLAN mapping must be associated with VLANs that exist on the switch. Create the VLANs before you configure the MAC-based VLAN feature.
• Ports participating in MAC-based VLANs must first be configured as mac-vlan-permit ports under the VLAN configuration.
• In the RADIUS server configuration file, a MAC address cannot be configured to associate with more than one VLAN.
• This feature does not currently support dynamic assignment of a port to a VLAN. Users must pre-configure VLANs and port membership before enabling the feature.
• Multi-device port authentication filters will not work with MAC-based VLANs on the same port.

Mel
Contributor
Posts: 63
Registered: ‎10-16-2010

Re: MAC-based Dynamic VLAN Assignment

Ms, Chipp...more great stuff.

What does this mean:

This  feature does not currently support dynamic assignment of a port to a  VLAN. Users must pre-configure VLANs and port membership before enabling  the feature.

HUH???? I dont get it. The whole feature they are discussing is abount MAC_based VLAN assignment...so what are they talking about here???

Thanks!!!

Mel
Contributor
Posts: 63
Registered: ‎10-16-2010

Re: MAC-based Dynamic VLAN Assignment

Honestly, pardon me for being blunt, but these configuration for dot1x seem like a lot of confusing and convoluted crap.

All I want is the following capability:

Plug a laptop in one jack and get on the right VLAN. Unplug and move to someone elses desk and plug it in and get on the SAME VLAN.

Thats it. MAC-based VLAN assignment. Cisco used to have a beautiful product called VMPS.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: MAC-based Dynamic VLAN Assignment

No dot1.x required to do this.

map.jpg

Host A MAC address is statically mapped to VLAN 1 with priority 1 and is not subjected to RADIUS

authentication. When Host B MAC address is authenticated, the Access-Accept message from the

RADIUS server specifies that Host B MAC address be placed into VLAN 2. Since Host C MAC

address is not present in the RADIUS server, Host C will be rejected by the server and its MAC

address will be placed into a restricted VLAN.

Below is the configuration for this example.

vlan 1 by port

untagged ethe 0/1/10

mac-vlan-permit ethe 0/1/1 to 0/1/2

no spanning-tree

vlan 2 by port

untagged ethe 0/1/30

mac-vlan-permit ethe 0/1/1 to 0/1/2

no spanning-tree

vlan 666 name mac_restricted by port

untagged ethe 0/1/20

mac-vlan-permit ethe 0/1/1 to 0/1/2

no spanning-tree

vlan 4000 name DEFAULT-VLAN by port

no spanning-tree

vlan 4004 by port

mac-vlan-permit ethe 0/1/1

default-vlan-id 4000

ip address 10.44.3.8 255.255.255.0

ip default-gateway 10.44.3.1

radius-server host 10.44.3.111

radius-server key 1 $-ndUno

mac-authentication enable

mac-authentication max-age 60

mac-authentication hw-deny-age 30

mac-authentication auth-passwd-format xxxx.xxxx.xxxx

interface ethernet 0/1/1

mac-authentication mac-vlan max-mac-entries 5

mac-authentication mac-vlan 0030.4888.b9fe vlan 1 priority 1

mac-authentication mac-vlan enable

!

interface ethernet 0/1/2

mac-authentication mac-vlan max-mac-entries 5

mac-authentication mac-vlan enable

!

!

end

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: MAC-based Dynamic VLAN Assignment

Hi, Does the above post meet your requirements?

Thanks.

Mel
Contributor
Posts: 63
Registered: ‎10-16-2010

Re: MAC-based Dynamic VLAN Assignment

Ms. Chipp:

Thank you for all your info.

I am trying to convince the client to abandon the idea of mac-based VLANs and instead stick with username/password authentication with dynamic VLAN assignment.

By the way, would you happen to know if Brocade switches are fully interoperable with Cisco ACS?

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: MAC-based Dynamic VLAN Assignment

Hi PWBF,

     Sorry I do not know the Cisco ACS  product.  Having a quick google onb it I would look at the McAfree intergration with Brocade.

See http://www.brocade.com/partnerships/technology-alliance-partners/technology-alliances/McAfee/index.page this linkif that is what you are after.

P.S. Mr Schipp and not MS Chipp please

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.