Frequently Asked Questions

« Previous
I need a new subnet and a new VLAN!
Next »
Who is responsible for the network in the BMC server room?

windows ubuntu macos xibo network zenworks android storage


112. What are your plans for a common client network configuration?

On BMC we have plenty of different client networks. See FAQ about VLANs at BMC.

We where hoping that the network investigation (2016) and the new Segerstedt building (2017) would solve some of this, but it has not. Maybe BMC is unique in having so many different department from different parts of the university in the same building.

  1. Proposed solution: Use Wireless
  2. Proposed solution: Continue using the wireless
    1. Option: Large and wide VLANs for all clients aka the Segerstedt model.
    2. Option: Use Private VLAN and PVLAN Edge
    3. Option: Use only Protected Ports.
    4. Option: Use Cisco software defined networks
    5. Option: Use automatically configured VLAN

Goals

Possible problems with relying on only Eduroam or a protected ports / Private VLAN network:

1. Possible solution: Use wireless

Let the new computers use Eduroam as the preferred network.

This may require a lot more rapid response in fixing coverage and capacity problems for the wireless network.

Cons: Shared medium. Easy to disrupt.

2. Possible solution: Continue using the wired network

2.A. Option: Large and wide VLANs for all clients aka the Segerstedt model.

Use a few big VLANs and dont worry too much.

Perhaps use DHCP Snooping.

All clients are wide open to all other clients on the VLAN.

All existing subnets could also be put in this VLAN and then no clients needs to change any settings, but then again, no security on the L2-level even if L3-level router filters stop legitimate traffic.

2.B. Option: Use Private VLAN and PVLAN Edge

Read more about Private VLAN. Get a new generation of switches that support Private VLAN. The current generation C2960S and C2960X do not support Private VLAN. Only the single C2960XR do support it. Continue using older switches as edge switches using the PVLAN Edge feature.

It looks like the I-Port on an Private VLAN can only carry a single untagged VLAN. This means that even though the simpler switches with PVLAN Edge could carry many VLANs they cannot be combined with the Private VLAN I-Ports. (Perhaps except using multiple uplinks but I do not think we want to go there.) This needs to be confirmed by testing.

It may be possible to build a hybrid network combining a backbone of distribution switches (C2960XR C3750 C3560 etc) using Private VLAN with access switches (directly connected to clients) using PVLAN Edge (C2960X C2960S etc). Connect all clients to I-Ports directly or on a hybrid network via switches with PVLAN Edge ports.


   ======================C6500=router=========================================
         Etherchannel                Etherchannel                  I-Port
            trunk                       I-Port                       |
            |   |                       |   |                        |
   =====C2960XR=stack=====    =====C2960S==stack=(1VLAN)===          |
         Etherchannel                Etherchannel                    |
            |   |                     Protected                      |
            |   |                       |   |                        |
   =====C2960X==(1VLAN)==     ====C2960S====(1VLAN)==    ====C2960X==(1VLAN)===
    Protected   Protected       Protected   Protected     Protected  Protected
        |           |               |           |            |          |
    Computer1   Computer2       Computer3   Computer4     Computer5  Computer6
    
Reference: Consolidated Platform Configuration Guide, Cisco IOS XE 15.2(6)E (Catalyst 2960-X Switch) - Configuring Private VLANs - Cisco
Reference: Cisco Catalyst 2960-X Series FAQ - Cisco

2.C. Option: Use only Protected Ports.

Only use PVLAN Edge (protected ports) feature to block traffic between clients. The problem with this solution is that because it cannot really be combined with multiple VLANs in the same uplinks unless it is used on the whole network using a switch topology with Protected Ports on the downlinks everywhere, but if this is possible on Cisco is unknown.

There is an L3-workaround for the L2-block by using local-proxy-arp, but probably not a good idea. That would in theory have been possible to run on all VLANS as is, but only L3. No L2 like zero-config networking (Apple Bonjour) will work.

See the background below for details on how to set it up. It is most probably not a practical solution.

2.D. Option: Use Cisco software defined networks

Probably expensive, requires new equipment and is a bit more complicated than we need.

Reference: Cisco Identity Services Engine Data Sheet - Cisco

Cisco SD-Access Ordering Guide - SD-Access Platform Support Summary - Cisco

2.E. Option: Use automatically configured VLAN

Use MAC-address or login to automatically configure the VLAN on each edge switch port.

All which are in a whitelist somewhere at the university in Bluecat (but not on BMC) should go to a common work network with no captive portal but access to EduPrint etc.

Maybe it is possible to populate the database server (RADIUS) with MAC-addresses from the BlueCat whitelists using the API. Good with integration.

1. Optional login with username and password and then select the correct VLAN based on the username. Extra security or special cases.
2. Check if the client MAC-address is in a Bluecat whitelist here at BMC (the local campus) and then select the correct VLAN: Vlan660
FarmBio
Vlan661
ILK-fkog
Vlan662
MCB-instr
Vlan663
Kemi-analut
Vlan664
Neuro
all the different local VLANs
3. Check if the client is in any whitelist at the university and pick the same VLAN for all of them: Vlan ? UU-Work
4. All others: Students, guests, private computers need to use the captive portal to login Vlan695 Netlogin

Pros:

Cons:

Unknowns:


Reference: MAC Authentication Bypass Deployment Guide - Cisco
Reference: Consolidated Platform Configuration Guide, Cisco IOS XE 15.2(6)E (Catalyst 2960-X Switch) - MAC Authentication Bypass - Cisco
Reference: Command Reference, Cisco IOS Release 15.2(2)E (Catalyst 2960, 2960-S, 2960-SF and 2960-Plus Switches) - authentication event - Cisco

Background: How does Protected Ports work on a multi-switch network

All uplinks must be normally configured as promiscuous. All downlinks must be protected. The network topology must be strictly hierarchical with all routers or servers connected via promiscuous ports on a single switch.

In this first example random clients port has been made protected. This does only work on a single switch - Computer1 and Computer2 cannot talk to each other since they are both on protected ports on a single Switch1. But protected ports on different switches can talk to each other because traffic may flow between protected and promiscuous ports on a single switch - Computer1 and Computer2 can both talk to Computer3


                     Router
                       |
         ===========Switch2===============
             |                    |
    =====Switch1=========   =====Switch3=====
     Protected  Protected      Protected
        |         |               |
     Computer1  Computer2      Computer3   

In the second example all downlinks are Protected. Traffic between Computer1 or Computer2 to Computer3 will be blocked on Switch2 because traffic cannot go between two protected ports on the same switch.


                     Router
                       |
         ===========Switch2===============
          Protected            Protected
             |                    |
    =====Switch1=========   =====Switch3=====
     Protected  Protected      Protected
        |          |              |
     Computer1  Computer2      Computer3   


Regarding the Cisco PVLAN Edge

It may be possible to use the protected ports feature on an EtherChannel group according to Configuring Protected Port for example the Cisco Catalyst C3850:

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

This would in theory make it possible to cascade down from a stack of distribution switch to a edge switch. However it does not seem like it is possible to use the Protected Port feature on a trunk port and not on a single VLAN in a trunk. There are two possible solutions for this:


            Router
               |
    ====Switch1=C2960S=C2960S==== (multiple VLANs)
     Pro.  Pro.  Pro.  Protected
      |     |     |   Etherchannel
    Comp1 Comp2 Comp3  |  |  |
                       |  |  |
    ======SwitchC2960S=C2960S==== (single VLAN)
     Pro.   Pro.
      |      |
     Comp4 Comp5



 

This entry network.8021x was last modified 2018-01-19

   

This documentation is covered by GNU Free Documentation License. 6 ms