Re: Fw: 3550 - guest vlan's

From: John Wong (johnwk@unimelb.edu.au)
Date: Wed Dec 22 2004 - 08:08:05 GMT-3

• Next message: ccie2be: "Re: Fw: 3550 - guest vlan's"
• Previous message: ccie2be: "Re: Fw: 3550 - guest vlan's"
• Maybe in reply to: ccie2be: "Fw: 3550 - guest vlan's"
• Next in thread: ccie2be: "Re: Fw: 3550 - guest vlan's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim,

Guest VLANs are no different from other VLANs. Its how you
configure your network/security devices to implement the
restrictions. The difference is that you as the administrator
now have 2 Groups/Vlans at your disposal to implement whatever
security policy that you see fit. Most people would want to
put the Guest users into a very restrictive environment while
the authenticated users be given more access. I hope this
explanation is clear.

Cheers!

ccie2be wrote:
> Thanks John for getting back to me.
>
> So, from a functionality point of view
>
> guest vlan = regular vlan w/o 802.1x authen
>
> Is that equation true?
>
> And, if it is, what's the point?
>
> Thanks, Tim
>
>
> ----- Original Message -----
> From: "John Wong" <johnwk@unimelb.edu.au>
> To: "ccie2be" <ccie2be@nyc.rr.com>
> Cc: "Group Study" <ccielab@groupstudy.com>
> Sent: Wednesday, December 22, 2004 1:11 AM
> Subject: Re: Fw: 3550 - guest vlan's
>
>
>
>>Tim,
>>
>>From what I understand, the Guest VLAN should be restricted by some other
>>means (i.e. Firewalls, ACLs, etc...) such that the "guests" are restricted
>>in what resources/services they can access. e.g. guests are redirected to
>>a webserver which contains information or files required to enable 802.1x
>>if they need Internet access, etc.. Only authenticated users should be
>>given full/more access to resources.
>>
>>Cheers!
>>
>>ccie2be wrote:
>>
>>>Hi guys,
>>>
>>>When you configure vlan to be a guest vlan for hosts that aren't 802.1x
>>>compliant,
>>>
>>>are there, by default, any restrictions on what traffic the port will
>
> pass?
>
>>>>From what I can tell from the documentation, a guest vlan is like any
>
> other
>
>>>vlan
>>>
>>>except non 802.1x compliant hosts don't have to authenticate. But, what
>
> makes
>
>>>no sense to me is, if
>>>
>>>a non 802.1x host is connected to port, why make that port require dot1x
>>>authentication in the first place?
>>>
>>>To me, it seems like first you're requiring 802.1x authentication for a
>
> port
>
>>>and then
>>>
>>>with the guest vlan you're not requiring 802.1x for that same port.
>>>
>>>Maybe I'm the dumb one here, but this seems pretty stupid. So, I'm
>
> hoping
>
>>>someone
>>>
>>>can explain why this isn't actually as stupid as it seems.
>>>
>>>
>>>Also, if anyone knows of any white papers or case studies that explain
>
> or
>
>>>provides examples of how to make practical use of this feature, could
>
> you
>
>>>provide a link?
>>>
>>>Thanks alot, Tim
>>>
>>>_______________________________________________________________________
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html

• Next message: ccie2be: "Re: Fw: 3550 - guest vlan's"
• Previous message: ccie2be: "Re: Fw: 3550 - guest vlan's"
• Maybe in reply to: ccie2be: "Fw: 3550 - guest vlan's"
• Next in thread: ccie2be: "Re: Fw: 3550 - guest vlan's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3