Re: Dynamic VLAN-Assignment in a large Network

From: Chris Hills <chills@xxxxxxxxxxxxxx>
Date: Thu, 09 Jun 2005 10:51:57 +0100

bt_hirosaito@xxxxxx wrote:

Hi,

at the moment i am thinking about realizing dynamic VLAN-Assignment in
our network.
We have almost 10.000 users at the moment and lots of VLANs for all
these people (Main-VLANs for every building, Extra-VLANs for Research
etc.)

What would be the best possibility to manage so many VLANs ? Cause with
only using the remote access policies it will be so much work to keep
all the policies up to date. And additionally the problem how to
configure the policies. Maybe decision by UserGroup in AD?!

I would be very interested if anyone of you already managed this and
how it is working.

Thanks in advance

Eric


Eric

I have given some thought to this, and so far the best I have come up with is to use some kind of database to determine the vlan. It will use various factors, including the user's group, switch port, and switch. There might also be another table with a list of policies, for example you might have the following:-

In a staff room, allow any connections using either a computer certificate, or a user certificate or username/password, where the user belongs to the staff group. The port will be placed on the local building vlan.

In a public access area, allow anyone with valid credentials to connect. The port will be placed on a vlan depending upon the credentials. Computers and privileged users (eg staff) will be put on the local building vlan. Students and others (perhaps from a federated organization) get put in an "insecure" vlan.

We also have to consider devices that do not support 802.1x, such as ip phones and vc equipment. Is it safe to provide a guest vlan for these devices?

I would be interested to hear your thoughts on this.

Regards

--
Chris Hills
IT Services
North East Worcestershire College
.

Follow-Ups:
- Re: Dynamic VLAN-Assignment in a large Network
  - From: bt_hirosaito

References:
- Dynamic VLAN-Assignment in a large Network
  - From: bt_hirosaito

Prev by Date: Dynamic VLAN-Assignment in a large Network
Next by Date: Re: Dynamic VLAN-Assignment in a large Network
Previous by thread: Dynamic VLAN-Assignment in a large Network
Next by thread: Re: Dynamic VLAN-Assignment in a large Network
Index(es):
- Date
- Thread

Relevant Pages

IAS 2003 Connection Request Policies
... We have been working with IAS 2003 and doing some testing. ... Remote Access Policies were used and you could assign ... What we are trying to do is basically use MAC authentication and allow ... access to everyone BUT based on their MAC address send specific VLAN ...
(microsoft.public.internet.radius)
Re: IAS 2003 Connection Request Policies
... Why don't you try using Remote access policies? ... > We have been working with IAS 2003 and doing some testing. ... > access to everyone BUT based on their MAC address send specific VLAN ...
(microsoft.public.internet.radius)
Wireless Access and VLANs
... We have an issue with our wireless network I'd like to try and discuss and learn a bit more about please. ... Our staff are allowed wireless access to the network via MAC authentication onto VLAN 1 ... Is there any way of creating a new VLAN, placing the AP's into this VLAN, and then setting some kind of redirection on the AP to say that if the user account resides on the staff network give them an IP address from VLAN 1 and if the user accout resides in VLAN 2 give them an IP address for VLAN 2. ...
(comp.dcom.sys.cisco)
Re: Dynamic VLAN-Assignment in a large Network
... Forget about the VLAN ID & focus on the VLAN NAME. ... NAME: FINANCE ... Just have the remote access policy send the VLAN NAME instead of the VLAN ID ... > all the policies up to date. ...
(microsoft.public.internet.radius)
Vlans
... Some of the wired ports could have any of those plug in ... Also for wireless AP's can I make different SSID's for each Vlan ...
(comp.dcom.sys.cisco)