From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Dec 22 2004 - 12:41:39 GMT-3
Hey John,
In thinking about this, it occurs to me that the real benefit of this guest
vlan feature
is when dot1x host-mode multihost is used where some of the hosts are dot1x
compatible but others are
not. This way when a non-802.1x host wants to access the network, they
could be restricted to connecting
only to a server where they could download a 802.1x client. Once they
install the 802.1x client, they
could then authenticate via 802.1x and then have whatever access is allowed
to the regular vlan configured
on the port.
I guess I never thought of this because except for trunks and voice vlans, I
didn't realize that more than 1 vlan
could be assigned to an access port.
Anyway, I think that with your help, I now understand how this works and how
this could be useful. Do you agree?
Thanks again, Tim
----- Original Message -----
From: "John Wong" <johnwk@unimelb.edu.au>
To: "ccie2be" <ccie2be@nyc.rr.com>
Cc: "Group Study" <ccielab@groupstudy.com>
Sent: Wednesday, December 22, 2004 8:44 AM
Subject: Re: Fw: 3550 - guest vlan's
> Tim,
>
> I'm in Australia (AEST +10), thus the .au in the e-mail!
>
> To answer your question, perhaps an example will do...
>
> interface FastEthernet0/1
> switchport access vlan 100
> switchport mode access
> dot1x port-control auto
> dot1x guest-vlan 999
> spanning-tree portfast
>
> If a non-dot1x capable host connects to this port, it is
> placed into Vlan 999. If a dot1x capable host connects to
> this port AND successfully authenticate, it is placed into
> Vlan 100. If a dot1x host fails authentication, the port
> goes into an unauthorized state (which is worse than a
> guest Vlan actually).
>
> Hope this is clear?
>
>
> ccie2be wrote:
> > Hi John,
> >
> > What time zone are you in? I'm in EST and I don't expect that many
people
> > are as crazy as I am and get up
> >
> > at 4 am.
> >
> > Thanks again for getting back to me.
> >
> > I guess my problem is that I when I'm learning about a new feature, I
like
> > to understand
> >
> > the practical benefit of the feature and I assume that if Cisco goes to
the
> > time, expense and trouble of
> >
> > creating a feature, that feature provides a advantage that didn't
previously
> > exist.
> >
> > I've found exceptions before and this looks like another exception.
> >
> > As you say, since guest vlan's are no different from any other vlan, if
I
> > want to
> >
> > implement 802.1x security but some hosts don't support this protocol, I
can
> > put those
> >
> > workstations in a regular vlan without 802.1x applied to those ports and
> > apply
> >
> > very restrictive policies to that vlan or I can create a guest vlan with
> > 802.1x applied to all ports
> >
> > and those hosts don't support 802.1x are exempted. And, as before I need
to
> > apply restrictive access
> >
> > policies to that guest vlan.
> >
> > One last question on this. What happens when a host that does support
> > 802.1x
> >
> > is connected to a port which is configured to be in a guest vlan? Is
that
> > host authenticated by 802.1x ?
> >
> > Thanks again, Tim
> >
> >
> > ----- Original Message -----
> > From: "John Wong" <johnwk@unimelb.edu.au>
> > To: "ccie2be" <ccie2be@nyc.rr.com>
> > Cc: "Group Study" <ccielab@groupstudy.com>
> > Sent: Wednesday, December 22, 2004 6:08 AM
> > Subject: Re: Fw: 3550 - guest vlan's
> >
> >
> >
> >>Tim,
> >>
> >>Guest VLANs are no different from other VLANs. Its how you
> >>configure your network/security devices to implement the
> >>restrictions. The difference is that you as the administrator
> >>now have 2 Groups/Vlans at your disposal to implement whatever
> >>security policy that you see fit. Most people would want to
> >>put the Guest users into a very restrictive environment while
> >>the authenticated users be given more access. I hope this
> >>explanation is clear.
> >>
> >>Cheers!
> >>
> >>ccie2be wrote:
> >>
> >>>Thanks John for getting back to me.
> >>>
> >>>So, from a functionality point of view
> >>>
> >>>guest vlan = regular vlan w/o 802.1x authen
> >>>
> >>>Is that equation true?
> >>>
> >>>And, if it is, what's the point?
> >>>
> >>>Thanks, Tim
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: "John Wong" <johnwk@unimelb.edu.au>
> >>>To: "ccie2be" <ccie2be@nyc.rr.com>
> >>>Cc: "Group Study" <ccielab@groupstudy.com>
> >>>Sent: Wednesday, December 22, 2004 1:11 AM
> >>>Subject: Re: Fw: 3550 - guest vlan's
> >>>
> >>>
> >>>
> >>>
> >>>>Tim,
> >>>>
> >>>
> >>>>From what I understand, the Guest VLAN should be restricted by some
> >
> > other
> >
> >>>>means (i.e. Firewalls, ACLs, etc...) such that the "guests" are
> >
> > restricted
> >
> >>>>in what resources/services they can access. e.g. guests are redirected
> >
> > to
> >
> >>>>a webserver which contains information or files required to enable
> >
> > 802.1x
> >
> >>>>if they need Internet access, etc.. Only authenticated users should be
> >>>>given full/more access to resources.
> >>>>
> >>>>Cheers!
> >>>>
> >>>>ccie2be wrote:
> >>>>
> >>>>
> >>>>>Hi guys,
> >>>>>
> >>>>>When you configure vlan to be a guest vlan for hosts that aren't
802.1x
> >>>>>compliant,
> >>>>>
> >>>>>are there, by default, any restrictions on what traffic the port will
> >>>
> >>>pass?
> >>>
> >>>
> >>>>>>From what I can tell from the documentation, a guest vlan is like
any
> >>>
> >>>other
> >>>
> >>>
> >>>>>vlan
> >>>>>
> >>>>>except non 802.1x compliant hosts don't have to authenticate. But,
> >
> > what
> >
> >>>makes
> >>>
> >>>
> >>>>>no sense to me is, if
> >>>>>
> >>>>>a non 802.1x host is connected to port, why make that port require
> >
> > dot1x
> >
> >>>>>authentication in the first place?
> >>>>>
> >>>>>To me, it seems like first you're requiring 802.1x authentication for
a
> >>>
> >>>port
> >>>
> >>>
> >>>>>and then
> >>>>>
> >>>>>with the guest vlan you're not requiring 802.1x for that same port.
> >>>>>
> >>>>>Maybe I'm the dumb one here, but this seems pretty stupid. So, I'm
> >>>
> >>>hoping
> >>>
> >>>
> >>>>>someone
> >>>>>
> >>>>>can explain why this isn't actually as stupid as it seems.
> >>>>>
> >>>>>
> >>>>>Also, if anyone knows of any white papers or case studies that
explain
> >>>
> >>>or
> >>>
> >>>
> >>>>>provides examples of how to make practical use of this feature, could
> >>>
> >>>you
> >>>
> >>>
> >>>>>provide a link?
> >>>>>
> >>>>>Thanks alot, Tim
> >>>>>
>
>>>>>_______________________________________________________________________
> >>>>>Subscription information may be found at:
> >>>>>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3