Vlans

I am using 3560 switches in a network

I have 2 users that fall within 2 differnt Vlan groups

Can I assign 2 Vlans to 1 ethernet port for these 2 users and is the config a special for multiple Vlans

or is there a better way to do this

Many thanks

Reply to
Supersleuth
Loading thread data ...

No, you can't have two VLANs part of the same access switch port. (I assume no trunking takes place here).

This would be bad security practice in general (leaking info from one VLAN to another) and you probably don't really want to open the can of worms this would entail, so Cisco prevents you from doing it.

You probably want to rethink what you are trying to accomplish and do it a different way (more likely a secure way).

Reply to
Doug McIntyre

I am using 3560 switches in a large school network

I want to create 3 Vlans

1: Students 2: staff 3: Guests

Some of the wired ports could have any of those plug in

Is it possible to assgin them to a Vlan by the MAC address or the login in details

Also for wireless AP's can I make different SSID's for each Vlan any help with this most welcome

Cheers

Reply to
Supersleuth

That would be VMPS. Cisco barely supported it (rumor was that one large customer wanted it, and Cisco tried to talk them out of it, but still delivered it until something better came along). Its a security risk, and setting up a server is interesting (most likely you'd have to search out the opensource version to run on a unix machine. Even then, I'm not sure if the 3560 still supports it).

If you have high-school students, I would not put it past them to be able to get around VMPS security, its fairly easy to spoof MAC addresses.

Much better would be to run its secure replacement, 802.1x, which would get the login data through RADIUS, and most RADIUS servers support it, and the 3560 does as well. You can google many articles on setting up 802.1x.

You can with Cisco AP gear. Support for this is straightforward. Basic settup is to map a SSID to each VLAN. You can also setup 802.1x on the cisco AP and assign the VLAN through the RADIUS login if you want.

Other vendors of APs don't necessarily support these features, you'd most likely have to have 3 different APs, one for each VLAN if you aren't using cisco here.

Reply to
Doug McIntyre

I am going to use all Cisco gear.

Never done a radius server before but do have nagios running on fedora 11

Is it ok to use the same server or will it be better to make a new server just for radius

what software would I be best with, preferably something that doesnt need masses of re-progamming as im not a programmer

Reply to
Supersleuth

Yes, you could run RADIUS and something else on the same server. Its not very much traffic. This is more determined by your internal security policies than CPU load or needing resources.

There's many choices. One would be FreeRADIUS. It'll need to be fed configs via text files much like Nagios or other Unix software packages.

Cisco has their own RADIUS appliance as well if you want pretty GUI and it supporting things out of the box with virtually no work. But you pay for those features. Plenty of other RADIUS software server vendors as well. Some pay, some freeware.

Reply to
Doug McIntyre

having a look at freeRADIUS thanks

Can I use radius to authenticate ALL users wired and wireless

I know what users I have and what Vlans i want them on its just i dont know where they will get their connection from it can change several times a day for students as they move from lesson to lesson

Reply to
Supersleuth

Yes, of course.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

If you deploy 802.1x everywhere, wired and wireless, then yes, they can login from anywhere. 802.1x is the same in both. Most times once its setup in both spots on their PC, they don't see it again.

Reply to
Doug McIntyre

thanks found lots of info on 802.1x

Is there a better way or would you recommend this approach

Now is the time to change as we are going to renew our whole network wired and wireless, except PC's and laptops

Reply to
Supersleuth

There are a couple of web frontends for FreeRADIUS as well.

Reply to
alexd

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.