Re: Fw: 3550 - guest vlan's

From: John Wong (johnwk@unimelb.edu.au)
Date: Wed Dec 22 2004 - 10:44:17 GMT-3

• Next message: gladston@br.ibm.com: "OSPF Cost"
• Previous message: McCallum, Robert: "RE: DC Power for Cisco"
• Maybe in reply to: ccie2be: "Fw: 3550 - guest vlan's"
• Next in thread: ccie2be: "Re: Fw: 3550 - guest vlan's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim,

I'm in Australia (AEST +10), thus the .au in the e-mail!

To answer your question, perhaps an example will do...

interface FastEthernet0/1
 switchport access vlan 100
 switchport mode access
 dot1x port-control auto
 dot1x guest-vlan 999
 spanning-tree portfast

If a non-dot1x capable host connects to this port, it is
placed into Vlan 999. If a dot1x capable host connects to
this port AND successfully authenticate, it is placed into
Vlan 100. If a dot1x host fails authentication, the port
goes into an unauthorized state (which is worse than a
guest Vlan actually).

Hope this is clear?

ccie2be wrote:
> Hi John,
>
> What time zone are you in? I'm in EST and I don't expect that many people
> are as crazy as I am and get up
>
> at 4 am.
>
> Thanks again for getting back to me.
>
> I guess my problem is that I when I'm learning about a new feature, I like
> to understand
>
> the practical benefit of the feature and I assume that if Cisco goes to the
> time, expense and trouble of
>
> creating a feature, that feature provides a advantage that didn't previously
> exist.
>
> I've found exceptions before and this looks like another exception.
>
> As you say, since guest vlan's are no different from any other vlan, if I
> want to
>
> implement 802.1x security but some hosts don't support this protocol, I can
> put those
>
> workstations in a regular vlan without 802.1x applied to those ports and
> apply
>
> very restrictive policies to that vlan or I can create a guest vlan with
> 802.1x applied to all ports
>
> and those hosts don't support 802.1x are exempted. And, as before I need to
> apply restrictive access
>
> policies to that guest vlan.
>
> One last question on this. What happens when a host that does support
> 802.1x
>
> is connected to a port which is configured to be in a guest vlan? Is that
> host authenticated by 802.1x ?
>
> Thanks again, Tim
>
>
> ----- Original Message -----
> From: "John Wong" <johnwk@unimelb.edu.au>
> To: "ccie2be" <ccie2be@nyc.rr.com>
> Cc: "Group Study" <ccielab@groupstudy.com>
> Sent: Wednesday, December 22, 2004 6:08 AM
> Subject: Re: Fw: 3550 - guest vlan's
>
>
>
>>Tim,
>>
>>Guest VLANs are no different from other VLANs. Its how you
>>configure your network/security devices to implement the
>>restrictions. The difference is that you as the administrator
>>now have 2 Groups/Vlans at your disposal to implement whatever
>>security policy that you see fit. Most people would want to
>>put the Guest users into a very restrictive environment while
>>the authenticated users be given more access. I hope this
>>explanation is clear.
>>
>>Cheers!
>>
>>ccie2be wrote:
>>
>>>Thanks John for getting back to me.
>>>
>>>So, from a functionality point of view
>>>
>>>guest vlan = regular vlan w/o 802.1x authen
>>>
>>>Is that equation true?
>>>
>>>And, if it is, what's the point?
>>>
>>>Thanks, Tim
>>>
>>>
>>>----- Original Message -----
>>>From: "John Wong" <johnwk@unimelb.edu.au>
>>>To: "ccie2be" <ccie2be@nyc.rr.com>
>>>Cc: "Group Study" <ccielab@groupstudy.com>
>>>Sent: Wednesday, December 22, 2004 1:11 AM
>>>Subject: Re: Fw: 3550 - guest vlan's
>>>
>>>
>>>
>>>
>>>>Tim,
>>>>
>>>
>>>>From what I understand, the Guest VLAN should be restricted by some
>
> other
>
>>>>means (i.e. Firewalls, ACLs, etc...) such that the "guests" are
>
> restricted
>
>>>>in what resources/services they can access. e.g. guests are redirected
>
> to
>
>>>>a webserver which contains information or files required to enable
>
> 802.1x
>
>>>>if they need Internet access, etc.. Only authenticated users should be
>>>>given full/more access to resources.
>>>>
>>>>Cheers!
>>>>
>>>>ccie2be wrote:
>>>>
>>>>
>>>>>Hi guys,
>>>>>
>>>>>When you configure vlan to be a guest vlan for hosts that aren't 802.1x
>>>>>compliant,
>>>>>
>>>>>are there, by default, any restrictions on what traffic the port will
>>>
>>>pass?
>>>
>>>
>>>>>>From what I can tell from the documentation, a guest vlan is like any
>>>
>>>other
>>>
>>>
>>>>>vlan
>>>>>
>>>>>except non 802.1x compliant hosts don't have to authenticate. But,
>
> what
>
>>>makes
>>>
>>>
>>>>>no sense to me is, if
>>>>>
>>>>>a non 802.1x host is connected to port, why make that port require
>
> dot1x
>
>>>>>authentication in the first place?
>>>>>
>>>>>To me, it seems like first you're requiring 802.1x authentication for a
>>>
>>>port
>>>
>>>
>>>>>and then
>>>>>
>>>>>with the guest vlan you're not requiring 802.1x for that same port.
>>>>>
>>>>>Maybe I'm the dumb one here, but this seems pretty stupid. So, I'm
>>>
>>>hoping
>>>
>>>
>>>>>someone
>>>>>
>>>>>can explain why this isn't actually as stupid as it seems.
>>>>>
>>>>>
>>>>>Also, if anyone knows of any white papers or case studies that explain
>>>
>>>or
>>>
>>>
>>>>>provides examples of how to make practical use of this feature, could
>>>
>>>you
>>>
>>>
>>>>>provide a link?
>>>>>
>>>>>Thanks alot, Tim
>>>>>
>>>>>_______________________________________________________________________
>>>>>Subscription information may be found at:
>>>>>http://www.groupstudy.com/list/CCIELab.html

• Next message: gladston@br.ibm.com: "OSPF Cost"
• Previous message: McCallum, Robert: "RE: DC Power for Cisco"
• Maybe in reply to: ccie2be: "Fw: 3550 - guest vlan's"
• Next in thread: ccie2be: "Re: Fw: 3550 - guest vlan's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3