Our network consists of a number of Dell PowerConnect switches. 1 x 6224 (core switch) 5 x 3524 cabinet switches.
We are using VLANs, to segregate different classes of systems. This was first achieved by assigning VLANs to specific port switches, and this worked fine until people started moving devices around, at this point, I introduced port security, by locking a specific port to the mac address of the device allowed to use the port.
What I'd like to achieve is configure the switches so that mac addresses are locked to VLANs rather than specific ports, because we do have laptop users that need to move around the building from time to time.
I've consulted the Switch documentation and this mentions the command mac-to-vlan <mac-address> <vlan-id>, however the documentation goes on to say..
The bind MAC to VLAN feature (MAC to
VLAN assignment) is deprecated in
versions that include the Dynamic VLAN
Assignment feature (DVA). DVA Provides
the same functionality as MAC to VLAN
Assignment, but does so in a standard
way.
As I don't have mac-to-vlan, I figured DVA was the way forward, but the documentation supplied with the switch says very little about DVA. What is does say is…
Dynamic VLAN Assignment — Indicates
whether dynamic VLAN assignment is
enabled for this port. This feature
allows network administrators to
automatically assign users to VLANs
during the RADIUS server
authentication. When a user is
authenticated by the RADIUS server,
the user is automatically joined to
the VLAN configured on a RADIUS
server.
This sounds to me like it is used for assigning users to VLANs, not computers!
I have electronic versions of the documentation, and can't find any other references about configuring DVA to assign a MAC to a VLAN.
I'm hoping somebody can shed some light on this?
Best Answer
the dynamic vlan feature is actually still based on the mac address... or can make use of a captive portal. I.e. you can dump "unauthenticated" workstations into a specific vlan that only allows access to a locked-down website asking for username/password which will grant them access to a specific vlan.
For MAC authentication, you simply supply the username & password as the mac address in the radius server.
As far as radius authentication goes... I've set it up in a lab, but have yet to deploy it. It works great as long as you take some important things into consideration... I could go into details, but that's a very long discussion.