1. Home
  2. Cisco Systems
  3. Mac to VLAN mapping on Cisco switches

Mac to VLAN mapping on Cisco switches

Hello,

We are looking at ways to ease management of VLANs, and secure on basis of MAC address (yes I know, easily spoofed).

After much googling, it seems that:

- 802.1x has the potential to do what we want, but always needs a supplicant (agent) on the connecting device. As too many devices we use (a.o. thin clients) do not have this capability, this is out for now[1]. Am I correct that for MAC based 802.1x vlan assignment, one always needs an agent on the device?

- The other option would be VMPS. Open Source software can get the MAC/ VLAN assignment from a database[2], but can Cisco software do similar? Do they even have a dedicated VMPS server, or is one stuck with downloading a file to the master switches?

I hope I'm wrong, too many sites say that VMPS is deprecated in favor of

802.1x. But requiring an agent on the end device is quite a big step. Why is there no middle ground between these two?

TIA, M4

[1] We'll be switching to 802.1x capable thin clients soon, so it may not be out completely. [2] Think CMDB. Not in CMDB => No access. In CMDB => department and requesting switch dictate VLAN.
Reply to
Martijn Lievaart
Loading thread data ...

Most modern OSs have this built into the networking stack. Ie. Windows7/Mac OSX/Linux all do. I can't tell about your thin clients.

VMPS was never fully supported by Cisco in the first place. Rumor was that some large customer wanted a solution (this was long before .1x) and cisco half-heartedly built something in. The VMPS server ran in a 6500 switch, there never was general server code outside of switch hardware..

To say it is insecure is an understatement. Sniff, spoof and any VLAN hopping instantly done.

Since .1x, whatever supported level of VMPS existed vanished, and it is kept around mainly in the platforms that had it just in a holding pattern.

But, are you over generalizing this as a solution? There haven't been many locations where I'd even consider .1x. To me, it is a specialized solution to begin with.

It all sounds neat, just edit radius to assign VLAN, but in reality, it is even easier to keep track of switch ports and edit which VLAN a given switch port is in and hard code it there. No security issues, no having to run extra stuff. I'd say 99.99% of the situations in which I find myself that this is the standard setup.

keeping track of switch ports is easier than dealing with usernames and passwords.

Reply to
Doug McIntyre

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.