Looks like this can be done via dynamic VLANs. Basically what I'd like to do is set unknown MAC addresses to default to VLAN1 and known MAC addresses go to a preassigned VLAN. This way if an unknown device is plugged into the switch it would not have full access to our network or systems.
Is this a simple configuration supported by, for example, a 2960 switch?
If anyone has an example of the best way to do this it would be very helpful.
Which 2900 series? Unfortunatly, there's 3 really different cisco devices that is a "2900". I assume its not the 2900 ISR2 router since you say switch in the subject line, although there are switch cards that can go into the 2900 ISR2. Then there's the C2924XL's, and the c2950's catalyst switches..
You know that MAC addresses can be easily spoofed right? If this is a security setup, doing VLAN membership by MAC is going to be as easy to circumvent as the attacker finding out a legit MAC and configuring their system to be it, and then they are on the other VLAN.
The secure supported configuration is to use 802.1X and a RADIUS server to assign VLANs based on secure authentication login info.
But assuming the lowest common denominator, the c2924xl doesn't support 802.1x authentication, that came along later in the lifespan of cisco. But the c2950 does support 802.1x authentication.
If you do really mean to do dynamic VLAN connections just by MAC address, Cisco did have a solution way back in the day called VMPS.
You'd have to run up a daemon (OpenVMPS) on a *nix box, or dig up an old 6500/5000 that still had the VMPS server code on it (only a few hardware platforms did).
If you do some searches on OpenVMPS you should be able to find it.
Just don't expect it to be too secure with the ability of MAC spoofing readily available.
Either way, you'll need to be running a server to hand out the info via whichever protocol you choose to use.
I think I should change my questions slightly...I see that the 2960 will supports VMPS client mode. Does that mean it will do the VLAN port assignments as a stand alone switch, or does it need another service or server?
Basically I'm just trying to configure simple MAC based VLAN assignments.
VMPS (like RADIUS) requires an external server to give it the data. Originally it ran only on a few older chassis based switches, but they've reverse engineered the protocol into OpenVMPS as a standalone daemon on a *nix system.