Dynamic VLANs on a Catalyst 3560

Answered Question
Nov 6th, 2007
User Badges:

Hello,


I'm looking for a solution that would enable me to assign users to a specific VLAN based on MAC address. I'm using a Catalyst 3560 switch. Is there something similar to VMPS that would allow me to do this? I would like to run VMPS, but it looks like you need a VMPS server (catalyst 5000) to do this. Any help would be appreciated. Thanks!

Correct Answer by andrew.butterworth about 9 years 8 months ago

If that's the case then 802.1x with Guest and Authentication Fail VLAN is probably more appropriate. If you are a Windows AD house then its just some configuration as you will already have all the software (IAS Radius Server, XP's built-in 802.1x supplicant).


There are a few guides on how to set this up, do a search.


HTH


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andrew.butterworth Tue, 11/06/2007 - 13:48
User Badges:
  • Gold, 750 points or more

802.1x is the way forward, however if you have clients/devices that move and don't have an 802.1x supplicant then you can still use VMPS. You are right you can use a Cat 5000 as the VMPS server, there are also some open source VMPS applications available. Google VMPS and Linux. There may be Windows varients available?


I would question why you need to do this though? Most networks are moving away from this type of setup. It might be worth explaining the scenario to see if anything else better suits your needs?


Andy

ddegner Tue, 11/06/2007 - 13:59
User Badges:

Hello Andy,


Many thanks for your prompt reply.


Basically, I need to find a solution that will allow me to segregate my network into 2 VLANs. 1 LAN for company users, & another "fallback/guest" LAN for someone that plugs into a wall jack that is not an authenticated user. These guest users would still be able to access the internet, but would not be on the same network as authenticated users.

Correct Answer
andrew.butterworth Tue, 11/06/2007 - 14:07
User Badges:
  • Gold, 750 points or more

If that's the case then 802.1x with Guest and Authentication Fail VLAN is probably more appropriate. If you are a Windows AD house then its just some configuration as you will already have all the software (IAS Radius Server, XP's built-in 802.1x supplicant).


There are a few guides on how to set this up, do a search.


HTH


Andy

ddegner Tue, 11/06/2007 - 14:24
User Badges:

Let me throw one more thing into the mix. We will be using IP phones as well. Will they need to be authenticated somehow?

andrew.butterworth Tue, 11/06/2007 - 15:07
User Badges:
  • Gold, 750 points or more

They can be is the answer; however they don't have to be. Not all Cisco IP Phones have an 802.1x Supplicant (I assume you are using Cisco IP Phones and Voice VLANs?), only the newer ones do I think (7941, 7961, 7970 etc). I think by default the Voice VLAN on the access port does not do 802.1x authentication so the Phones bypass any 802.1x authentication.

If you have non-Cisco IP Phones then there are some more hurdles like VLAN detection and depending on the Vendor this can be achieved in a number of ways. It's should all be possible though.


Andy

Actions

This Discussion