Taye, Aaron (NIH/NCI) [C]
2013-09-12 12:22:45 UTC
We do a lot of this kind of thing, but we use Policy Manager, NAC Manager, and NAC Appliances to do it. It is much easier to create and manage that way, especially if you have any need to scale up, so I would recommend that approach (if you have those three things available to you), rather than trying to do policy via the CLI.
As you say, the NAC appliances push a policy to a switch, but you can use NAC to automatically apply a policy to specific end-systems based on MAC address (also based on device type, user, time, and/or location if you want). So for your example you would create a policy that simply contains to VLAN X--no need to include anything about the MAC address within the policy itself.
Then, in NAC Manager you create your list of MAC addresses that you want to contain to VLAN X. You create a rule within NAC Manager that basically says "for all MAC addresses in the list, apply the policy that contains to VLAN X".
Policy Manager pushes the policy to the switches (allowing you to create the policy via the GUI, rather than CLI, which is much more straightforward).
NAC Manager pushes the NAC rules and criteria to the NAC appliances. Within NAC manager you assign your switches to the NAC appliances, and when you enforce to the NAC appliances they go out to the switches and establish themselves as RADIUS servers for the switches (which shows up as "set radius server" commands on the switches).
At that point, any time an end-system establishes a connection to a switch, the switch sends an authentication request to the NAC appliance. The NAC appliance sends back instructions as to which policy to apply.
To finish your example, you would manually set the switch ports to VLAN Y. That way, any MAC addresses not in the list get VLAN Y, and MAC addresses in the list get VLAN X.
There's a bit more to it, but that is the general idea. Enterasys' documentation explains it well, if you study the Policy and NAC documents (and do some testing), it should work for you.
By the way, your first policy line is correct ("set policy profile 1 name GUEST pvid-status enable pvid Y untagged-vlans Y"). The second line is almost correct (should be " set policy rule 6 macsource 00-12-34-00-00-00 mask 24 vlan X"), but as you say that particular command is not supported on C-series (only N, S, and K).
Aaron Taye
Senior Network Engineer
Contractor, TerpSys (r)
National Cancer Institute, CBIIT
-----Original Message-----
From: Marki [mailto:tsp+***@iip.lu]
Sent: Friday, August 30, 2013 4:46 AM
To: Enterasys Customer Mailing List
Subject: [enterasys] set VLAN by MAC address (NAC)
Hi,
a few years ago I started digging around the Policy Manager and the NAC.
However, nothing was ever put into place.
Now the need for it starts getting more real.
Now I'd like to configure at least some small things manually:
Let's start small with the following profile:
1) Certain MAC ranges put the port into VLAN X.
2) Else put port into VLAN Y.
I've tried this on the console.
set policy profile 1 name GUEST pvid-status enable pvid Y untagged-vlans Y
set policy rule 1 macsource 00-12-34-00-00-00/24 vlan X
Showstopper right there.
Apparently, the vlan/macsource combo is not allowed. (C3)
Was that attempt correct?
Would you also remind me what the actual NAC appliance does when you do only stuff like deciding using a MAC address what's done with the port and what's not (like in my example)? Does it more than push a policy to the switch as I have done above?
Bye,
Marki
---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@mail.nih.gov
---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org
As you say, the NAC appliances push a policy to a switch, but you can use NAC to automatically apply a policy to specific end-systems based on MAC address (also based on device type, user, time, and/or location if you want). So for your example you would create a policy that simply contains to VLAN X--no need to include anything about the MAC address within the policy itself.
Then, in NAC Manager you create your list of MAC addresses that you want to contain to VLAN X. You create a rule within NAC Manager that basically says "for all MAC addresses in the list, apply the policy that contains to VLAN X".
Policy Manager pushes the policy to the switches (allowing you to create the policy via the GUI, rather than CLI, which is much more straightforward).
NAC Manager pushes the NAC rules and criteria to the NAC appliances. Within NAC manager you assign your switches to the NAC appliances, and when you enforce to the NAC appliances they go out to the switches and establish themselves as RADIUS servers for the switches (which shows up as "set radius server" commands on the switches).
At that point, any time an end-system establishes a connection to a switch, the switch sends an authentication request to the NAC appliance. The NAC appliance sends back instructions as to which policy to apply.
To finish your example, you would manually set the switch ports to VLAN Y. That way, any MAC addresses not in the list get VLAN Y, and MAC addresses in the list get VLAN X.
There's a bit more to it, but that is the general idea. Enterasys' documentation explains it well, if you study the Policy and NAC documents (and do some testing), it should work for you.
By the way, your first policy line is correct ("set policy profile 1 name GUEST pvid-status enable pvid Y untagged-vlans Y"). The second line is almost correct (should be " set policy rule 6 macsource 00-12-34-00-00-00 mask 24 vlan X"), but as you say that particular command is not supported on C-series (only N, S, and K).
Aaron Taye
Senior Network Engineer
Contractor, TerpSys (r)
National Cancer Institute, CBIIT
-----Original Message-----
From: Marki [mailto:tsp+***@iip.lu]
Sent: Friday, August 30, 2013 4:46 AM
To: Enterasys Customer Mailing List
Subject: [enterasys] set VLAN by MAC address (NAC)
Hi,
a few years ago I started digging around the Policy Manager and the NAC.
However, nothing was ever put into place.
Now the need for it starts getting more real.
Now I'd like to configure at least some small things manually:
Let's start small with the following profile:
1) Certain MAC ranges put the port into VLAN X.
2) Else put port into VLAN Y.
I've tried this on the console.
set policy profile 1 name GUEST pvid-status enable pvid Y untagged-vlans Y
set policy rule 1 macsource 00-12-34-00-00-00/24 vlan X
Showstopper right there.
Apparently, the vlan/macsource combo is not allowed. (C3)
Was that attempt correct?
Would you also remind me what the actual NAC appliance does when you do only stuff like deciding using a MAC address what's done with the port and what's not (like in my example)? Does it more than push a policy to the switch as I have done above?
Bye,
Marki
---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@mail.nih.gov
---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org