Re: Vlan Assignment - Static

We did use VMPS in a production environment with about 1000 users.
One of the admin's had a small script and we took tickets from the IT
desk and uploaded a change once a day and yes we had a couple of
Catalyst 6500's holding these tables. Someone could still spoof
their PC mac address is they wanted but it wasn't meant to be highly
secure.

I suppose 802.1x is the direction these days.

-Rich

On Fri, Sep 4, 2009 at 1:48 PM, Joe Astorino<jastorino_at_ipexpert.com> wrote:
> I agree. It was just the first thing that came to mind. I suppose 802.1x
> is really the new way to do things. I have never actually seen VMPS in a
> production environment, and with the way security is going, more and more
> places are using 802.1x anyways
>
> On Fri, Sep 4, 2009 at 1:42 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>> Joe,
>>
>>
>>
>> I haven t messed with VMPS and I made an assumption about the engagement
>> size, which I probably shouldn t J. Anyhow, from what I can tell you, you
>> need at a minimum a 4000 series switch to pull this off. 802.1x
> information
>> can be implemented down to a 2950
>>
>>
>>
>> Here are some basic notes I found:
>>
>>
>>
>> *Notes*:
>>
>> 1. The VMPS is not supported on the Cisco Catalyst 2950.
>>
>> 2. The Cisco Catalyst 3550 and 3548 only support the VMPS client. High-end
>> switches such as the Catalyst 6000/6500 switches can be a VMPS server.
>>
>> 3. A PC cannot be configured to be a VMPS server.
>>
>>
>>
> http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_a_Cisco_Cata
> lyst_switch_as_a_VMPS
>>
>>
>>
>> I guess it works fine for MAC to VLAN mapping, but seems pretty basic in
>> its flexibility. Oh well, learn something new everyday.
>>
>>
>>
>> -ryan
>>
>>
>>
>> *From:* Joe Astorino [mailto:jastorino_at_ipexpert.com]
>> *Sent:* Friday, September 04, 2009 1:18 PM
>> *To:* Ryan West
>> *Cc:* Nauman Habib; George Tosh; Cisco certification
>>
>> *Subject:* Re: Vlan Assignment - Static
>>
>>
>>
>> You could do dynamic VLAN allocation with a VMPS server as Rich said. That
>> is pretty much what it was built for.
>>
>> On Fri, Sep 4, 2009 at 8:46 AM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>> Nauman,
>>
>> I'm not sure what else to tell you. Anything that has to identify a user
>> and assign them to a particular VLAN requires at the very least cooperation
>> from the switch and a device to perform the identity verification. 802.1x
>> is an open standard and supported in modern operating systems and switches.
>>
>> You can pull off what you want with a 2950, a desktop, and a Windows
>> domain. You could look at NAC, but that is a huge ball of CF :)
>>
>> You mentioned wireless with a specific SSID. Using the same 802.1x
>> supplicant information for wireless, you can actually use the same SSID for
>> all users and map individual users / groups to particular VLANs. I think
>> you should consider 802.1x again, the mainstream support for it is there.
>> Granted you may have to extend your schema a little, but I think that's
>> better than having a redirected web page, a fat client, or some XAUTH
>> extension. You want security to be effective, but not cumbersome.
>>
>> -ryan
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Nauman Habib
>>
>> Sent: Friday, September 04, 2009 7:10 AM
>> To: George Tosh
>> Cc: Cisco certification
>> Subject: Re: Vlan Assignment - Static
>>
>> Thanks all ,
>>
>> 802.1x will recquire a Radius server ( ACS ) and compatibility of Lan
>> Cards and switchs in the network
>>
>> Is they any alternative to 802.1x ??
>>
>> If there is a better way - as Gerge Tosh mention - what could it be ?
>>
>> Regards
>>
>> Nauman
>>
>>
>>
>>
>>
>>
>> On Fri, Sep 4, 2009 at 12:38 AM, George Tosh <gtosh_at_aeneas.net> wrote:
>>
>> > I'm sure there is a better way to do this, however you might try 802.1x
>> > auth
>> > with vlan assignment.
>> >
>> > http://www.ciscopress.com/articles/article.asp?p=29600&seqNum=3
>> >
>> >
>> > -----Original Message-----
>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> > Nauman Habib
>> > Sent: Thursday, September 03, 2009 4:26 PM
>> > To: Cisco certification
>> > Subject: Vlan Assignment - Static
>> >
>> > Dear Experts,
>> >
>> > I am looking for a solution in reply to a scenario :
>> >
>> > The Client want a VIP user to get a IP from the same VLAN - always - we
>> can
>> > say it as VIP VLAN
>> >
>> > which will be having special Bandwidth allocation and privileges
>> >
>> > What are the possible ways that this can be achieved ???
>> >
>> > I Know its quite feasible for the WIRELESS user's to have a dedicated VIP
>> > SSID - connecting to that VIP VLAN
>> >
>> > but if the user is moving his laptop from one physical ethernet port to
>> the
>> > other - What is the possible solution
>> >
>> > Thank in advance.
>> >
>> > Regards,
>> >
>> > Nauman
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> Regards,
>>
>> Nauman
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Regards,
>>
>> Joe Astorino - CCIE #24347 R&S
>> Technical Instructor - IPexpert, Inc.
>> Cell: +1.586.212.6107
>> Fax: +1.810.454.0130
>> Mailto: jastorino_at_ipexpert.com
>>
>
>
>
> --
> Regards,
>
> Joe Astorino - CCIE #24347 R&S
> Technical Instructor - IPexpert, Inc.
> Cell: +1.586.212.6107
> Fax: +1.810.454.0130
> Mailto: jastorino_at_ipexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 04 2009 - 15:10:16 ART