Re: Fw: 3550 - guest vlan's

From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Dec 22 2004 - 09:50:10 GMT-3

• Next message: Cocimano, Francesco: "ATM IMA"
• Previous message: John Wong: "Re: Fw: 3550 - guest vlan's"
• Maybe in reply to: ccie2be: "Fw: 3550 - guest vlan's"
• Next in thread: John Wong: "Re: Fw: 3550 - guest vlan's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi John,

What time zone are you in? I'm in EST and I don't expect that many people
are as crazy as I am and get up

at 4 am.

Thanks again for getting back to me.

I guess my problem is that I when I'm learning about a new feature, I like
to understand

the practical benefit of the feature and I assume that if Cisco goes to the
time, expense and trouble of

creating a feature, that feature provides a advantage that didn't previously
exist.

I've found exceptions before and this looks like another exception.

As you say, since guest vlan's are no different from any other vlan, if I
want to

implement 802.1x security but some hosts don't support this protocol, I can
put those

workstations in a regular vlan without 802.1x applied to those ports and
apply

very restrictive policies to that vlan or I can create a guest vlan with
802.1x applied to all ports

and those hosts don't support 802.1x are exempted. And, as before I need to
apply restrictive access

policies to that guest vlan.

One last question on this. What happens when a host that does support
802.1x

is connected to a port which is configured to be in a guest vlan? Is that
host authenticated by 802.1x ?

Thanks again, Tim

----- Original Message -----
From: "John Wong" <johnwk@unimelb.edu.au>
To: "ccie2be" <ccie2be@nyc.rr.com>
Cc: "Group Study" <ccielab@groupstudy.com>
Sent: Wednesday, December 22, 2004 6:08 AM
Subject: Re: Fw: 3550 - guest vlan's

> Tim,
>
> Guest VLANs are no different from other VLANs. Its how you
> configure your network/security devices to implement the
> restrictions. The difference is that you as the administrator
> now have 2 Groups/Vlans at your disposal to implement whatever
> security policy that you see fit. Most people would want to
> put the Guest users into a very restrictive environment while
> the authenticated users be given more access. I hope this
> explanation is clear.
>
> Cheers!
>
> ccie2be wrote:
> > Thanks John for getting back to me.
> >
> > So, from a functionality point of view
> >
> > guest vlan = regular vlan w/o 802.1x authen
> >
> > Is that equation true?
> >
> > And, if it is, what's the point?
> >
> > Thanks, Tim
> >
> >
> > ----- Original Message -----
> > From: "John Wong" <johnwk@unimelb.edu.au>
> > To: "ccie2be" <ccie2be@nyc.rr.com>
> > Cc: "Group Study" <ccielab@groupstudy.com>
> > Sent: Wednesday, December 22, 2004 1:11 AM
> > Subject: Re: Fw: 3550 - guest vlan's
> >
> >
> >
> >>Tim,
> >>
> >>From what I understand, the Guest VLAN should be restricted by some
other
> >>means (i.e. Firewalls, ACLs, etc...) such that the "guests" are
restricted
> >>in what resources/services they can access. e.g. guests are redirected
to
> >>a webserver which contains information or files required to enable
802.1x
> >>if they need Internet access, etc.. Only authenticated users should be
> >>given full/more access to resources.
> >>
> >>Cheers!
> >>
> >>ccie2be wrote:
> >>
> >>>Hi guys,
> >>>
> >>>When you configure vlan to be a guest vlan for hosts that aren't 802.1x
> >>>compliant,
> >>>
> >>>are there, by default, any restrictions on what traffic the port will
> >
> > pass?
> >
> >>>>From what I can tell from the documentation, a guest vlan is like any
> >
> > other
> >
> >>>vlan
> >>>
> >>>except non 802.1x compliant hosts don't have to authenticate. But,
what
> >
> > makes
> >
> >>>no sense to me is, if
> >>>
> >>>a non 802.1x host is connected to port, why make that port require
dot1x
> >>>authentication in the first place?
> >>>
> >>>To me, it seems like first you're requiring 802.1x authentication for a
> >
> > port
> >
> >>>and then
> >>>
> >>>with the guest vlan you're not requiring 802.1x for that same port.
> >>>
> >>>Maybe I'm the dumb one here, but this seems pretty stupid. So, I'm
> >
> > hoping
> >
> >>>someone
> >>>
> >>>can explain why this isn't actually as stupid as it seems.
> >>>
> >>>
> >>>Also, if anyone knows of any white papers or case studies that explain
> >
> > or
> >
> >>>provides examples of how to make practical use of this feature, could
> >
> > you
> >
> >>>provide a link?
> >>>
> >>>Thanks alot, Tim
> >>>
> >>>_______________________________________________________________________
> >>>Subscription information may be found at:
> >>>http://www.groupstudy.com/list/CCIELab.html

• Next message: Cocimano, Francesco: "ATM IMA"
• Previous message: John Wong: "Re: Fw: 3550 - guest vlan's"
• Maybe in reply to: ccie2be: "Fw: 3550 - guest vlan's"
• Next in thread: John Wong: "Re: Fw: 3550 - guest vlan's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3