I've also been struggling with this lately in our NAC deployment. This
is only an issue for a small subset of our devices that switch VLANs,
however.
Initially we had set the default role to disallow DHCP, which solved the
problem until we went to deploy to campus (which needed to have a fail
open if NAC couldn't be contacted).
Attempting to implement Port Link Control, we found K- and S-series do
not support it due to all of the MAC authentication sessions being
considered multiauth.
I'm now attempting to use a role mapping prior to the VLAN switch passed
out by NAC based on MAC OUI (which we should be able to due due to the
limited types of devices being switched). It looks as though this
should be assigned with the first traffic that hits the switch.
I would like to see two default roles on the port - one prior to
attempting to contact NAC/RADIUS and one to be assigned if that times out.
It sounds like there may be some improvements in the pipeline but they
are a ways out.
--
Kay Avila
Network Engineer, ITS-Network Services
15 Curris Business Building, Cedar Falls, IA 50614-0121
[email protected] Phone: 319-273-5924 Fax: 319-273-7373
On 9/26/2012 11:34 PM, Jolyon Ansuz wrote:
That’s how we do things, the user initially enters an assessment VLAN
(Role) and then after authentication (60sec?) rolls into the appropriate
VLAN (Eg. Staff Role).
We use a LDAP attribute to assign roles to human beings.
We use a LDAP attribute to assign roles to devices.
Jolyon Ansuz
Senior Network and Communications Administrator
P: +61 2 6773 3568
*From:*Patrick Printz [mailto:[email protected]]
*Sent:* Wednesday, 19 September 2012 5:00 AM
*To:* Enterasys Customer Mailing List
*Subject:* RE: [enterasys] question about "vlan dynamicegress"
I have been working on a new network structure to replace our current
flat setup. Staff, administrators, students, etc. would be separated
into various vlan’s, to help contain their traffic and make controlling
their access to various network resources easier. In my testing, the
computer would be assigned to a VLAN once it 802.1x authenticated, then
when a user logged in, they would be switched to a different role which
egresses a different vlan. The computer was changing IP with the
different logins and when sitting at a cntrl-alt-del screen and computer
authenticated. We are running G3’s on the edge, so I am not sure if it
is the switch that causes the clients to pull a new IP when changing
roles, but it works perfectly.
Another thought is to use DHCP user classes and/or vendor classes to
catch devices and users when they first talk to DHCP. The DHCP server
can send them an IP in the proper subnet the first time around.
*Patrick Printz*
*Network Infrastructure*
Quinsigamond Community College
670 West Boylston Street
Worcester, MA 01606-2092
w. 508-854-7517
c. 508-726-9529
"If a man is called a street sweeper, he should sweep streets even as
Michelangelo painted, or Beethoven composed music, or Shakespeare wrote
poetry. He should sweep streets so well that all the hosts of heaven and
Earth will pause to say, Here lived a great street sweeper who did his
job well."
~Martin Luther King, Jr.
*From:*Markus Kaiser [mailto:[email protected]]
<mailto:[mailto:[email protected]]>
*Sent:* Tuesday, September 18, 2012 9:31 AM
*To:* Enterasys Customer Mailing List
*Subject:* Re: [enterasys] question about "vlan dynamicegress"
there are clients, if they have no ip address via dhcp, they still don't
request a ip from dhcp after changing vlan or after link up/down.
don't worry about the little dhcp packets and traffic. even if 1000
clients sending out dhcp requests every 10 seconds, that's no traffic.
even for MS dhcp, for sure not for modern linux and also not for
routers/switches (ip helper/dhcp relay). its only in that single vlan,
doesn't use much bandwidth. if this is the only broadcast traffic in
your vlan, then there's nothing to worry. you really can't call 1000
dhcp requests every 10 seconds traffic, even in WAN.
think about it again.
kind regards,
markus
___________________________
On 18.09.2012, at 15:22, John Kaftan <[email protected]
<mailto:[email protected]>> wrote:
I think I’ll just do a VLAN to nowhere as the default VLAN and then
make everyone switch VLANs by role mapping. That way the client
won’t get an initial IP. I don’t want to set low lease times as it
generates too much traffic and load on the DHCP server.
I wonder though what happens when, in my example, I have an xbox
connected and get the xbox role with vlan 666 and then the xbox gets
unplugged and a PC gets plugged in. When the xbox gets unplugged
does the xbox role and associated VLAN get removed from the port? If
not I may have the same issue when the PC gets plugged in. It will
get an IP on VLAN 666 and then get flipped to VLAN 60 and be dead in
the water.
I’ll play with it and see what happens.
*From:*Markus Kaiser [mailto:[email protected]
<mailto:[email protected]>]
*Sent:* Tuesday, September 18, 2012 9:09 AM
*To:* Enterasys Customer Mailing List
*Subject:* Re: [enterasys] question about "vlan dynamicegress"
if you switch/change vlan, the only way to get all kinds of dhcp
clients to work, is to configure a very low lease time (if possible
10-30 seconds, depending on dhcp server OS) for the default/guest vlan.
not all networking devices do a new dhcp request, if you switch vlan
or better after link up/down. printers and mac's don't do a dhcp
request at link up/link down for example.
kind regards,
markus
___________________________
On 18.09.2012, at 14:33, John Kaftan <[email protected]
<mailto:[email protected]>> wrote:
Speaking of dynamic VLANs has anyone found a way to get the
client to ask for a new IP after switching a VLAN? What we are
finding is that the VLAN doesn’t switch fast enough and the
client gets an IP from the default VLAN before the VLAN
switches. Once the VLAN has been switched the client is dead in
the water because they have an IP address for the wrong subnet.
The only way I can think of to fix this is to have the default
VLAN be a VLAN to nowhere, i.e no DHCP. If I do that then I have
to map everyone to a VLAN and not just my special (xbox) group.
I can do that but it will be a lot of work.
I was going to try the RFC3580 method to see if that works
differently. The last NAC we had would drop the port for 5 sec
and then bring it back up to force the client to request a new IP.
Thanks
John
*From:*[email protected]
<mailto:[email protected]>
[mailto:[email protected] <mailto:[email protected]>]
*Sent:* Tuesday, September 18, 2012 7:02 AM
*To:* Enterasys Customer Mailing List
*Subject:* RE: [enterasys] question about "vlan dynamicegress"
Thanks everyone.
I will try this afternoon.
*Geoffroy HUGUENIN*
CEA VALDUC
VA/DSTA/STLI/LSIS
21120 IS-SUR-TILLE
Téléphone : 03 80 23 77 80
*De :*Sylvain Conti [mailto:[email protected]
<mailto:[email protected]>]
*Envoyé :* mardi 18 septembre 2012 11:02
*À :* Enterasys Customer Mailing List
*Objet :* RE:[enterasys] question about "vlan dynamicegress"
Hi,
As far as i can remember you can try to use the Vlan Egress tab
under the Role to defined the egress rule (for a role with a
contain to vlan setup in the general tab), dynamic egress should
not be requisite if you do not have devices like SecureStack A2.
Regards,
*Sylvain CONTI*
<image001.jpg>
*Coordinateur technique*
*+33 1 64 53 14 12*
*+33 6 78 78 07 47*
**
*INTEGRATEUR RESEAUX et SECURITE*
*Agence Ile de France,*Immeuble Le Montréal - 19bis av. du
Québec - ZA Courtaboeuf - 91140 Villebon sur YvetteT : +33 1 64
53 14 14 F : +33 1 69 32 14 02
Siège social -**Espace Jacques Cartier - BP 96031 - 35360
Montauban de Bretagne T : +33 2 99 06 61 61 F : +33 2 99 06 36 36
*[email protected] <mailto:[email protected]>**www.retis.fr
<http://www.retis.fr/>*
*De :*[email protected] <mailto:[email protected]>
[mailto:[email protected] <mailto:[email protected]>]
*Envoyé :* mardi 18 septembre 2012 10:51
*À :* Enterasys Customer Mailing List
*Objet :* [enterasys] question about "vlan dynamicegress"
Hello,
We use some policies with “access control àContains to vlan”.
Our configuration has dynamicegress disabled on all switches.
When we use policies on C3, vlan change correctly but not on our
N3. We must enable dynamicegress on N3.
Do you know why have we some differences between C3 and N3 ?
Should dynamicegress be enabled on all switches or not ?
Thanks.
*Geoffroy HUGUENIN*
CEA VALDUC
VA/DSTA/STLI/LSIS
21120 IS-SUR-TILLE
Téléphone : 03 80 23 77 80
* --To unsubscribe from enterasys, send email to
[email protected] <mailto:[email protected]> with the body:
unsubscribe enterasys [email protected] <mailto:[email protected]>
* --To unsubscribe from enterasys, send email to
[email protected] <mailto:[email protected]> with the body:
unsubscribe enterasys [email protected]
<mailto:[email protected]>
* --To unsubscribe from enterasys, send email to
[email protected] <mailto:[email protected]> with the body:
unsubscribe enterasys [email protected]
<mailto:[email protected]>
* --To unsubscribe from enterasys, send email to
[email protected] <mailto:[email protected]> with the body:
unsubscribe enterasys [email protected]
<mailto:[email protected]>
* --To unsubscribe from enterasys, send email to [email protected]
<mailto:[email protected]> with the body: unsubscribe enterasys
[email protected] <mailto:[email protected]>
* --To unsubscribe from enterasys, send email to [email protected]
<mailto:[email protected]> with the body: unsubscribe enterasys
[email protected] <mailto:[email protected]>
* --To unsubscribe from enterasys, send email to [email protected]
<mailto:[email protected]> with the body: unsubscribe enterasys
[email protected] <mailto:[email protected]>
* --To unsubscribe from enterasys, send email to [email protected]
<mailto:[email protected]> with the body: unsubscribe enterasys
[email protected] <mailto:[email protected]>
* --To unsubscribe from enterasys, send email to [email protected]
<mailto:[email protected]> with the body: unsubscribe enterasys
[email protected]
---
To unsubscribe from enterasys, send email to [email protected] with the body:
unsubscribe enterasys [email protected]
