That's how we do things, the user initially enters an assessment VLAN (Role) and then after authentication (60sec?) rolls into the appropriate VLAN (Eg. Staff Role).
We use a LDAP attribute to assign roles to human beings. We use a LDAP attribute to assign roles to devices. Jolyon Ansuz Senior Network and Communications Administrator P: +61 2 6773 3568 From: Patrick Printz [mailto:[email protected]] Sent: Wednesday, 19 September 2012 5:00 AM To: Enterasys Customer Mailing List Subject: RE: [enterasys] question about "vlan dynamicegress" I have been working on a new network structure to replace our current flat setup. Staff, administrators, students, etc. would be separated into various vlan's, to help contain their traffic and make controlling their access to various network resources easier. In my testing, the computer would be assigned to a VLAN once it 802.1x authenticated, then when a user logged in, they would be switched to a different role which egresses a different vlan. The computer was changing IP with the different logins and when sitting at a cntrl-alt-del screen and computer authenticated. We are running G3's on the edge, so I am not sure if it is the switch that causes the clients to pull a new IP when changing roles, but it works perfectly. Another thought is to use DHCP user classes and/or vendor classes to catch devices and users when they first talk to DHCP. The DHCP server can send them an IP in the proper subnet the first time around. Patrick Printz Network Infrastructure Quinsigamond Community College 670 West Boylston Street Worcester, MA 01606-2092 w. 508-854-7517 c. 508-726-9529 "If a man is called a street sweeper, he should sweep streets even as Michelangelo painted, or Beethoven composed music, or Shakespeare wrote poetry. He should sweep streets so well that all the hosts of heaven and Earth will pause to say, Here lived a great street sweeper who did his job well." ~Martin Luther King, Jr. From: Markus Kaiser [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, September 18, 2012 9:31 AM To: Enterasys Customer Mailing List Subject: Re: [enterasys] question about "vlan dynamicegress" there are clients, if they have no ip address via dhcp, they still don't request a ip from dhcp after changing vlan or after link up/down. don't worry about the little dhcp packets and traffic. even if 1000 clients sending out dhcp requests every 10 seconds, that's no traffic. even for MS dhcp, for sure not for modern linux and also not for routers/switches (ip helper/dhcp relay). its only in that single vlan, doesn't use much bandwidth. if this is the only broadcast traffic in your vlan, then there's nothing to worry. you really can't call 1000 dhcp requests every 10 seconds traffic, even in WAN. think about it again. kind regards, markus ___________________________ On 18.09.2012, at 15:22, John Kaftan <[email protected]<mailto:[email protected]>> wrote: I think I'll just do a VLAN to nowhere as the default VLAN and then make everyone switch VLANs by role mapping. That way the client won't get an initial IP. I don't want to set low lease times as it generates too much traffic and load on the DHCP server. I wonder though what happens when, in my example, I have an xbox connected and get the xbox role with vlan 666 and then the xbox gets unplugged and a PC gets plugged in. When the xbox gets unplugged does the xbox role and associated VLAN get removed from the port? If not I may have the same issue when the PC gets plugged in. It will get an IP on VLAN 666 and then get flipped to VLAN 60 and be dead in the water. I'll play with it and see what happens. From: Markus Kaiser [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, September 18, 2012 9:09 AM To: Enterasys Customer Mailing List Subject: Re: [enterasys] question about "vlan dynamicegress" if you switch/change vlan, the only way to get all kinds of dhcp clients to work, is to configure a very low lease time (if possible 10-30 seconds, depending on dhcp server OS) for the default/guest vlan. not all networking devices do a new dhcp request, if you switch vlan or better after link up/down. printers and mac's don't do a dhcp request at link up/link down for example. kind regards, markus ___________________________ On 18.09.2012, at 14:33, John Kaftan <[email protected]<mailto:[email protected]>> wrote: Speaking of dynamic VLANs has anyone found a way to get the client to ask for a new IP after switching a VLAN? What we are finding is that the VLAN doesn't switch fast enough and the client gets an IP from the default VLAN before the VLAN switches. Once the VLAN has been switched the client is dead in the water because they have an IP address for the wrong subnet. The only way I can think of to fix this is to have the default VLAN be a VLAN to nowhere, i.e no DHCP. If I do that then I have to map everyone to a VLAN and not just my special (xbox) group. I can do that but it will be a lot of work. I was going to try the RFC3580 method to see if that works differently. The last NAC we had would drop the port for 5 sec and then bring it back up to force the client to request a new IP. Thanks John From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, September 18, 2012 7:02 AM To: Enterasys Customer Mailing List Subject: RE: [enterasys] question about "vlan dynamicegress" Thanks everyone. I will try this afternoon. Geoffroy HUGUENIN CEA VALDUC VA/DSTA/STLI/LSIS 21120 IS-SUR-TILLE Téléphone : 03 80 23 77 80 De : Sylvain Conti [mailto:[email protected]<mailto:[email protected]>] Envoyé : mardi 18 septembre 2012 11:02 À : Enterasys Customer Mailing List Objet : RE:[enterasys] question about "vlan dynamicegress" Hi, As far as i can remember you can try to use the Vlan Egress tab under the Role to defined the egress rule (for a role with a contain to vlan setup in the general tab), dynamic egress should not be requisite if you do not have devices like SecureStack A2. Regards, Sylvain CONTI <image001.jpg> Coordinateur technique +33 1 64 53 14 12 +33 6 78 78 07 47 INTEGRATEUR RESEAUX et SECURITE Agence Ile de France, Immeuble Le Montréal - 19bis av. du Québec - ZA Courtaboeuf - 91140 Villebon sur Yvette T : +33 1 64 53 14 14 F : +33 1 69 32 14 02 Siège social - Espace Jacques Cartier - BP 96031 - 35360 Montauban de Bretagne T : +33 2 99 06 61 61 F : +33 2 99 06 36 36 [email protected]<mailto:[email protected]> www.retis.fr<http://www.retis.fr/> De : [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] Envoyé : mardi 18 septembre 2012 10:51 À : Enterasys Customer Mailing List Objet : [enterasys] question about "vlan dynamicegress" Hello, We use some policies with "access control --> Contains to vlan". Our configuration has dynamicegress disabled on all switches. When we use policies on C3, vlan change correctly but not on our N3. We must enable dynamicegress on N3. Do you know why have we some differences between C3 and N3 ? Should dynamicegress be enabled on all switches or not ? Thanks. Geoffroy HUGUENIN CEA VALDUC VA/DSTA/STLI/LSIS 21120 IS-SUR-TILLE Téléphone : 03 80 23 77 80 * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
