802.1x Guest Vlan and Routed access layer design

Similar Messages

• Guest VLAN and SSID with a DHCP router

  I want to offer customers wireless access in my building. I've added VLAN 30 to my WAP with no encryption and broadcast the GUEST ssid. I also have a Netgear router plugged into a port with VLAN 30 access. I was hoping the wireless clients would get a DHCP address from this router since they are all on the same VLAN, but I cannot get it too work.
  Does anyone have any insight on this, or another way to setup the guest VLAN?

  You can create a guest VLAN.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html#1074827

• Wireless 802.1X guest VLAN

  Hi everybody
  is there a way on the wireless controller or the ACS to configure a guest or a failed vlan if the 802.1X authentication was not succesful, like it's possible on the wired infrastructure?
  Thanks and regards

  I see what your saying, I am actually going to nmock this up in my lab over the holidays, my understanding was NAC would do this unfortunately I dont have NAC but will be doing this with IAS and then ACS so will find out if its possible over the next week or so.
  I can see the issue if you have wired 802.1x already but maybe using seperate policies. Also different Guest policies poses an issue. The simple way is seperate SSIDs for different guests ect and 802.1x which is easy, I dont understand why the client I have wants to do it this way but its an interesting challenge

• How to setup vlans and routing between them

  Hey guys
  I am onboard a vessel where I have a Cisco 1921 router with intergrated 8-port dwitch. I have no experince what so ever with Cisco, onlye knowledge about netwrok in general.
  What I need to do is to create 3 VLANs wit different networks and thier own gateways internally( no external routers, no external switches), and I want client in all networks to be able to communicate qith each other:
  Vlan 2:
  192.168.0.0
  Default Gateway: 192.168.0.1
  Network Mask: 255.255.255.0
  Vlan 3:
  192.168.1.0
  Default Gateway: 192.168.1.1
  Network Mask: 255.255.255.0
  Vlan 4:
  192.168.2.0
  Default Gateway: 192.168.2.1
  Network Mask: 255.255.255.0
  As mentioned abode, I need clients from each VLAN to be able to communicate with each other. Se drawing

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  It might be as simple as defining VLAN interfaces for your 3 VLANs, and they assigning the ports to one of the 3 VLANs.

• Multiple Guest VLANs and Shared WLC

  Hi,
  I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
  I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
  Please advise how best I should implement this.
  many thanks
  Sankung   

  It sounds like you already have this done.  You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
  Then on the internal anchor the SSID to the same SSID in the DMZ
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Routed access OSPF design

  Hi All,
  I need some advise on the following design.
  I am designing a campus network using routed access with OSPF. I will have 3 tiers - core, distribution and access. I am looking to configure the core/distribution links in OSPF area 0 and then the distribution/access links in a non-backbone area such as 1. I will then be able to filter/summarize etc as the ABR boundary.
  I only have 2 links from my core to distribution layer and I'm planning to terminate them on separate distribution switches (dist1 and dist2), see attached diagram.
  The links facing the DC will be in area0 and the links facing the access will be area1 but what area should the distribution to distribution link be in? I understand that if it is in the non-backbone area1 then I will loose the ability to use the link to the second core as intra area routes will be preferred by dist1. Are there any other considerations here? Should I connect two links between the the 4500s and configure 1 link in area 0 and 1 link in area1?
  Thanks,

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  About how many L3 routing devices, and how many subnets, do you anticipate?  Depending on that, you might one to consider a single area design.

• 802.1x, voice vlan and IP phone

  Hi, I reviewed many posts here, and I still need the clarification how 802.1x on the switch works with non-Cisco IP phone (not supporting CDP) and PC connected to the PC port. If I configure 802.1x on a switch port, along with access and voice vlan, next I configure the static voice vlan on the non-Cisco phone, will it be possible to authenticate the user on the PC and bypass authentication for IP phone? Is CDP required in such scenario - (non-Cisco IP phone doesn't support it)?
  Regards,
  Krzysztof

  You need CDP for touchless interop. CDP can of course be spoofed though, so proceed with caustion anyway.
  You need multi-domain authentication to appropriately deal with non-Cisco phones and port-based access-control. See here to get started:
  <http://www.cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a008077a284.html#wp1231964>
  Hope this helps,

• Need basic Help - SG300 with vlan and routing

  Hi,
  i need some basic help with configuring vlan/routing.
  Situation:
  DSL Router - Cisco 300 - XenServer
  192.168.1.253 - 192.168.1.19 - 192.168.1.10 (mgmt ip)
  goal is, to reach from inside xenserver vms the internet.
  vms = 192.168.2.x
  gateway ip = 192.168.2.1
  what i did:
  - configured vlan 102, tagged, with the xenserver port
  - configured on xenserver a network with vlan id 102, attached to the vm
  - this network is conntected to an external bond
  - configured ipva4 interface: vlan102 - Static - IP 192.168.2.1 (this is the gateway ip of the vms)
  - automatic configured IPv4 Route: 192.168.2.0/24 next hop 0.0.0.0, Directly connected
  So at the moment i cant ping from inside a vm to the DSL Router (192.168.2.2 to 192.168.1.253)
  any ideas what i misconfigured or whats wrong?
  cheers,
  -Marco

  Hi Tom,
  ok, that make sense. I can ping the router now inside vms from 192.168.2.x network.
  But i cant ping external adresses, error: Destination net unreachable.
  My other problem i have, i cant reach any server from outside over router portforwarding.
  How do i have to configure the upload port to the dsl router? Is it a access port or a trunk
  port with all vlans (tagged or untagged?) At the moment ive a tagged Trunkport with all vlans.
  IPv4 Interface Table
  Interface
  IP Address Type
  IP Address
  Mask
  Status
  VLAN 1
  Static
  192.168.1.19
  255.255.255.0
  Valid
  Should the VLAN1 ip adress not the router ip adress ? Do i need an additional vlan for
  the router ? At the end i like to change the switch ip from dhcp to static (change automaticly
  when switching to layer 3 mode), but ive to look for the ios commands first.
  What else do i missing ?
  Thanks a lot,
  Marcus

• SG-300-28P VLANs and Routing

  I want to have multiple VLANs share an internet connection. Can this be done with an SG-300-28P in Layer 3 mode, directly connected to a cable modem, with no additional router?
  Does anyone have a simple example of this? CLI or web interface is fine.
  Thanks,
  -Phil

  Just out of curiousity, is this possible?
  I have currently set my SG300 up in L2 mode with a pfsense firewall as "router on a stick". I have also tried using SG300 in L3 where all inter-vlan routing was done on Switch, but I found the ACLs rather limited compared to real firewall.

• Can you control switch and router access with AD (Kerberos)

  I am standing up a small environment with less than 20 switches and I want to configure the authentication so that dedicated Active Directory accounts provide access to the switches. We are not going to be able to put up an ACS box, and I don't want to use RADIUS unless I have to. Since both AD and Cisco support Kerberos, is it possible to us an AD group to control access to my switches and routers?

  Sam,
  Have you looked at these at Cisco?
  http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_kerberos.html
  Section "Login Authentication Using Kerberos"
  http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfindx.html
  or these
  http://www.techrepublic.com/article/configure-cisco-routers-to-use-active-directory-authentication-the-windows-side/6180954
  HTH,
  Arnold

• MAC address and router access control

  My iPhone 3GS can only access the network (through my Netgear KWGR614 wireless router) when the router's MAC address access control is off. When I turn it on the phone is blocked. The MAC address I use is taken from the iPhone settings. It begins with 64. All other MAC addresses I have ever seen begins with 00. Is this MAC address correct? If it is right, could it be that the router can't handle this address?

  The first 3 bytes of the mac address identifies the manufacturer. For example, mine starts with 04:1e:64 which is Apple
  04-1E-64 (hex) Apple, Inc
  041E64 (base 16) Apple, Inc
  1 Infinite Loop
  Cupertino CA 95014
  UNITED STATES
  . if it starts with 64 then it belongs to
  64-4F-74 (hex) LENUS Co., Ltd.
  644F74 (base 16) LENUS Co., Ltd.
  18-5 Gwacheon-Dong
  Gwacheon Gyeonggi-Do 427-060
  KOREA, REPUBLIC OF
  check this list : http://standards.ieee.org/regauth/oui/index.shtml
  enter your first 3 numbers (first 3 pairs) from your wifi (settings/general/about) (don't use colons in the search)
  Not sure about the router as I never tried mac filtering. Each router will behave differently.
  Hope this helps.

• Cisco ISE and WLC Access-List Design/Scalability

  Hi,
  I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
  User group 1 -- Apply ACL 1 --On Vlan 1 
  User group 2 -- Apply ACL 2 -- On Vlan 1
  User group 3 -- Apply ACL 3 -- On Vlan 1
  The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
  Any suggestion is appreciated.
  Thanks.

  Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
  The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
  Overall, I see three ways to overcome your current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
  3. Use SGT/SGA
  Hope this helps!
  Thank you for rating helpful posts!

• Layer 3 to the Access Layer and MPLS Design Considerations

  Hi,
  We are about to install a new network consisting of Cat 4500s with Sup7E at the Access Layer, with Nexus 7000 at the Distribution and Core layers.
  We have 14 floors with at least three 4500s on each floor. Within the office block where the Access Layer and Distribution Layer reside we need to support secure borderless networking using 802.1x to place users from different parts of the business into segregated networks at layer 3.
  All switches will have the feature sets to support MPLS/ VRF / OSPF / EIGRP / BGP etc.
  We quickly dismissed the idea of using VRF-Lite due to the sheer number of Vlans we would need to managage and maintain,  the point to point links alone just to get one additional VRF on each floor required far too many Vlans.
  As a result we are now considering deploying MPLS. The obvious benefits include scalability and manageability, the fact that all switch to switch links can now be routed, instead of having to using SVIs.
  My query is one of design surrounding MPLS and how this maps to an enterprise network with a routed access layer. Do Cat 4500s become the CEs and take part in MPLS / BGP and Label Distribution, or does the BGP peering and Label Distribution only occur between the Distrubtion - Core - Distrubtion layers, mapping to the PE - P - PE topology in an ISP environment, the access layer simply uses the IGP (OSPF in this case) to learn routes ?
  Any help would be greatly appreciated.
  Chris.

  Hi Andy,
  Thanks for your response.
  I have been doing a little bit more research it seems the Cat 4500s do not support MPLS!! Nor do Cisco have any plans to support it on this platform. I find this a little rediculous considering the level that Cisco are pitching this platform. With the Sup 7E only VRF Lite is supported, with plans to support EVN (which still uses trunk links for logical separation).
  So it looks like we are going to have to go back to the drawing board.
  (perhaps we should have gone HP or Juniper!)
  Chris.

• 802.1.x guest VLAN problem

  Hi,
  I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
  I'm using XP sp2 with:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
  cantModeDWORD Value = 3
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
  deDWORD Value = 0
  Could someone give some help,please.
  Thanks
  BR

  The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
  As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
  I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
  *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
  *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
  *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
  Hope this helps.

• Can Exchange work correctly with routing and remote access?

  tx in advance

  Tx  for answer !
  Yes.  I have suppose that if remote and routing access and Exchange are built-in win sbs11 mean that work together, did i'm wrong?
  my only problem is i can't figure how to let exchange send email correctly, all other thing work well.
  I seen that when exchange send email, multiple source port are in use, like ftp does.  Is there a way to change that?
  tx again