set VLAN by MAC address (NAC)

Discussion:

Marki

2013-10-26 20:30:58 UTC

Permalink

By the way, your first policy line is correct ("set policy profile 1 name

GUEST pvid-status enable pvid Y

untagged-vlans Y"). The second line is almost correct (should be " set

policy rule 6 macsource

00-12-34-00-00-00 mask 24 vlan X"), but as you say that particular command

is not supported on C-series

(only N, S, and K).

Thanks a lot for your detailed answer.

Does this mean that what I wanted to do here will not work no matter what
independent of using the CLI or the NAC/PolicyManager/etc. combo? How else
would I contain 'guest' devices on edge switches in a way that they end up
in e.g. a VLAN that is heavily firewalled?

Bye,
Marki

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Jason Parker

2013-10-26 20:41:50 UTC

Permalink

Check out the Enterasys Videos on YouTube

http://www.youtube.com/playlist?list=PLD0A4267BC50654DB&feature=plcp

Jason Parker

Hi,
a few years ago I started digging around the Policy Manager and the NAC.
However, nothing was ever put into place.
Now the need for it starts getting more real.
1) Certain MAC ranges put the port into VLAN X.
2) Else put port into VLAN Y.
I've tried this on the console.
set policy profile 1 name GUEST pvid-status enable pvid Y untagged-vlans Y
set policy rule 1 macsource 00-12-34-00-00-00/24 vlan X
Showstopper right there.
Apparently, the vlan/macsource combo is not allowed. (C3)
Was that attempt correct?
Would you also remind me what the actual NAC appliance does when you do only
stuff like deciding using a MAC address what's done with the port and what's
not (like in my example)? Does it more than push a policy to the switch as I
have done above?
Bye,
Marki
---

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Marki

2013-10-26 20:46:28 UTC

Permalink

Post by Jason Parker
Check out the Enterasys Videos on

YouTubehttp://www.youtube.com/playlist?list=PLD0A4267BC50654DB&feature=plcpJason
Parker

Oh, I have seen that already. That is in fact what motivated me to make the
try with the C3 which seems unable to do it. Thus my question how this is
supposed to work for edge devices and thus on edge switches...

Bye,
Marki

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Hawkins, Michael Stephen

2013-10-27 10:09:38 UTC

Permalink

This will work on any Enterasys switch properly setup for NAC.

Mike Hawkins
UNC Chapel Hill

----- Reply message -----
From: "Marki" <tsp+***@iip.lu>
Date: Sat, Oct 26, 2013 4:50 pm
Subject: [enterasys] set VLAN by MAC address (NAC)

Post by Jason Parker
Check out the Enterasys Videos on

Marki

2013-10-27 13:35:53 UTC

Permalink

Post by Hawkins, Michael Stephen
This will work on any Enterasys switch properly setup for NAC.

So what exact policy would the NAC apply to a C-Series switch in that case?

If using "set policy rule 6 macsource 00-12-34-00-00-00 mask 24 vlan X" does
not work on C-Series, how would using the NAC make this work nevertheless?
Would it simply connect to the switch and issue a "set port vlan ..." or how
do I have to imagine this?

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

James Andrewartha

2013-10-27 15:08:56 UTC

Permalink

Post by Marki

Post by Hawkins, Michael Stephen
This will work on any Enterasys switch properly setup for NAC.

So what exact policy would the NAC apply to a C-Series switch in that
case?
If using "set policy rule 6 macsource 00-12-34-00-00-00 mask 24 vlan X"
does
not work on C-Series, how would using the NAC make this work nevertheless?
Would it simply connect to the switch and issue a "set port vlan ..." or
how
do I have to imagine this?

What you need is MAC authentication enabled on the C3, which will then
query NAC over RADIUS, NAC will match the MAC address against a rule and
send back a policy that maps it to vlan X.

The S/N/K switches can do this without having authentication enabled on
the port, and they can then apply arbitrary policies to that traffic, e.g.
I have one that drops port 5353 (mDNS) from our Apple TVs at the core:

set policy profile 14 name "Apple TV Block"
set policy rule admin-profile macsource 7c-d1-c3-00-00-00 mask 24
admin-pid 14
set policy rule admin-profile macsource 9c-20-7b-00-00-00 mask 24
admin-pid 14
set policy rule 14 udpsourceportIP 5353 mask 16 drop
set policy rule 14 udpdestportIP 5353 mask 16 drop

Whereas B/C/G can only apply a policy to all of the traffic from that MAC
address.
--
James Andrewartha

Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Yang, Charles

2013-10-27 16:35:47 UTC

Permalink

Just thinking that Apple TV uses the multicast TTL of 1-- hop count of 1. it means it will not broadcast out side of its existing subnet, by limiting the subnet to smaller range can also kill the use of Apple TV.

In the wireless, often limiting the subnet range is not practical, use the tip at your discretion.

Sent from my iPhone

Post by James Andrewartha

Post by Marki

Post by Hawkins, Michael Stephen
This will work on any Enterasys switch properly setup for NAC.

So what exact policy would the NAC apply to a C-Series switch in that
case?
If using "set policy rule 6 macsource 00-12-34-00-00-00 mask 24 vlan X"
does
not work on C-Series, how would using the NAC make this work nevertheless?
Would it simply connect to the switch and issue a "set port vlan ..." or
how
do I have to imagine this?

What you need is MAC authentication enabled on the C3, which will then
query NAC over RADIUS, NAC will match the MAC address against a rule and
send back a policy that maps it to vlan X.
The S/N/K switches can do this without having authentication enabled on
the port, and they can then apply arbitrary policies to that traffic, e.g.
set policy profile 14 name "Apple TV Block"
set policy rule admin-profile macsource 7c-d1-c3-00-00-00 mask 24
admin-pid 14
set policy rule admin-profile macsource 9c-20-7b-00-00-00 mask 24
admin-pid 14
set policy rule 14 udpsourceportIP 5353 mask 16 drop
set policy rule 14 udpdestportIP 5353 mask 16 drop
Whereas B/C/G can only apply a policy to all of the traffic from that MAC
address.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
---

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Zdenek Pala

2013-10-27 18:06:16 UTC

Permalink

You can configure more policy profiles.

Based on mac authentication the radius server will send accept with
the filter-id attribute containing the policy profile name. Then the
switch will apply correct policy profile (including the vlan
assignment) on the traffic ingressing the port with authenticated
source mac.

Good luck

Zdenek Pala

Sent from BYOD device

Post by Marki

Post by Hawkins, Michael Stephen
This will work on any Enterasys switch properly setup for NAC.

So what exact policy would the NAC apply to a C-Series switch in that case?
If using "set policy rule 6 macsource 00-12-34-00-00-00 mask 24 vlan X" does
not work on C-Series, how would using the NAC make this work nevertheless?
Would it simply connect to the switch and issue a "set port vlan ..." or how
do I have to imagine this?
---

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org