Re: Vlan Assignment - Static from Joe Astorino on 2009-09-04 (Ccielab archives 09/2009)

From: Joe Astorino <jastorino_at_ipexpert.com>
Date: Fri, 4 Sep 2009 13:48:46 -0400

I agree. It was just the first thing that came to mind. I suppose 802.1x
is really the new way to do things. I have never actually seen VMPS in a
production environment, and with the way security is going, more and more
places are using 802.1x anyways

On Fri, Sep 4, 2009 at 1:42 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Joe,
>
>
>
> I havent messed with VMPS and I made an assumption about the engagement
> size, which I probably shouldnt J. Anyhow, from what I can tell you, you
> need at a minimum a 4000 series switch to pull this off. 802.1x
information
> can be implemented down to a 2950
>
>
>
> Here are some basic notes I found:
>
>
>
> *Notes*:
>
> 1. The VMPS is not supported on the Cisco Catalyst 2950.
>
> 2. The Cisco Catalyst 3550 and 3548 only support the VMPS client. High-end
> switches such as the Catalyst 6000/6500 switches can be a VMPS server.
>
> 3. A PC cannot be configured to be a VMPS server.
>
>
>
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_a_Cisco_Cata
lyst_switch_as_a_VMPS
>
>
>
> I guess it works fine for MAC to VLAN mapping, but seems pretty basic in
> its flexibility. Oh well, learn something new everyday.
>
>
>
> -ryan
>
>
>
> *From:* Joe Astorino [mailto:jastorino_at_ipexpert.com]
> *Sent:* Friday, September 04, 2009 1:18 PM
> *To:* Ryan West
> *Cc:* Nauman Habib; George Tosh; Cisco certification
>
> *Subject:* Re: Vlan Assignment - Static
>
>
>
> You could do dynamic VLAN allocation with a VMPS server as Rich said. That
> is pretty much what it was built for.
>
> On Fri, Sep 4, 2009 at 8:46 AM, Ryan West <rwest_at_zyedge.com> wrote:
>
> Nauman,
>
> I'm not sure what else to tell you. Anything that has to identify a user
> and assign them to a particular VLAN requires at the very least cooperation
> from the switch and a device to perform the identity verification. 802.1x
> is an open standard and supported in modern operating systems and switches.
>
> You can pull off what you want with a 2950, a desktop, and a Windows
> domain. You could look at NAC, but that is a huge ball of CF :)
>
> You mentioned wireless with a specific SSID. Using the same 802.1x
> supplicant information for wireless, you can actually use the same SSID for
> all users and map individual users / groups to particular VLANs. I think
> you should consider 802.1x again, the mainstream support for it is there.
> Granted you may have to extend your schema a little, but I think that's
> better than having a redirected web page, a fat client, or some XAUTH
> extension. You want security to be effective, but not cumbersome.
>
> -ryan
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Nauman Habib
>
> Sent: Friday, September 04, 2009 7:10 AM
> To: George Tosh
> Cc: Cisco certification
> Subject: Re: Vlan Assignment - Static
>
> Thanks all ,
>
> 802.1x will recquire a Radius server ( ACS ) and compatibility of Lan
> Cards and switchs in the network
>
> Is they any alternative to 802.1x ??
>
> If there is a better way - as Gerge Tosh mention - what could it be ?
>
> Regards
>
> Nauman
>
>
>
>
>
>
> On Fri, Sep 4, 2009 at 12:38 AM, George Tosh <gtosh_at_aeneas.net> wrote:
>
> > I'm sure there is a better way to do this, however you might try 802.1x
> > auth
> > with vlan assignment.
> >
> > http://www.ciscopress.com/articles/article.asp?p=29600&seqNum=3
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Nauman Habib
> > Sent: Thursday, September 03, 2009 4:26 PM
> > To: Cisco certification
> > Subject: Vlan Assignment - Static
> >
> > Dear Experts,
> >
> > I am looking for a solution in reply to a scenario :
> >
> > The Client want a VIP user to get a IP from the same VLAN - always - we
> can
> > say it as VIP VLAN
> >
> > which will be having special Bandwidth allocation and privileges
> >
> > What are the possible ways that this can be achieved ???
> >
> > I Know its quite feasible for the WIRELESS user's to have a dedicated VIP
> > SSID - connecting to that VIP VLAN
> >
> > but if the user is moving his laptop from one physical ethernet port to
> the
> > other - What is the possible solution
> >
> > Thank in advance.
> >
> > Regards,
> >
> > Nauman
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Regards,
>
> Nauman
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
> --
> Regards,
>
> Joe Astorino - CCIE #24347 R&S
> Technical Instructor - IPexpert, Inc.
> Cell: +1.586.212.6107
> Fax: +1.810.454.0130
> Mailto: jastorino_at_ipexpert.com
>

--
Regards,
Joe Astorino - CCIE #24347 R&S
Technical Instructor - IPexpert, Inc.
Cell: +1.586.212.6107
Fax: +1.810.454.0130
Mailto:  jastorino_at_ipexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Fri Sep 04 2009 - 13:48:46 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART