Configuration Guide Vol. 2

9.1.3 Configuring Dynamic VLAN

<Structure of this section>

(1) Basic settings for the local authentication method

The figure below shows the basic configuration required to use local authentication. Note that the terminal obtains its IP address from the internal DHCP server prior to authentication and from an external DHCP server after authentication.

This configuration includes putting a filter in place that prohibits communication between the pre-authentication VLAN and the post-authentication VLAN.

Figure 9-4: Basic configuration of the local authentication method for dynamic VLAN

[Figure Data]

(a) Configuring Authentication Ports

Points to note

Configure the port to be used for Web authentication.

Command examples

  1. (config)# interface gigabitethernet 1/0/4

    (config-if)# switchport mode mac-vlan

    (config-if)# switchport mac native vlan 10

    (config-if)# web-authentication port

    (config-if)# exit

    Assigns a MAC VLAN and configures Web authentication at a port where terminals will be authenticated.

  2. (config)# interface range gigabitethernet 1/0/9-10

    (config-if-range)# switchport mode access

    (config-if-range)# switchport access vlan 50

    (config-if-range)# exit

    Specifies the access port of the network accessed after authentication.

(b) IP addressing for VLAN interfaces

Points to note

Assign IP addresses to the pre-authentication and post-authentication VLANs.

Command examples

  1. (config)# interface vlan 10

    (config-if)# ip address 192.168.10.254 255.255.255.0

    (config-if)# exit

    (config)# interface vlan 50

    (config-if)# ip address 192.168.50.254 255.255.255.0

    (config-if)# exit

    Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.

(c) Configuring Authentication-Only IPv4 Access Lists

Points to note

Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.

Command examples

  1. (config)# ip access-list extended 100

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit ip host 192.168.10.0 host 192.168.10.1

    (config-ext-nacl)# exit

    (config)# interface gigabitethernet 1/0/4

    (config-if)# authentication ip access-group 100

    (config-if)# authentication arp-relay

    (config-if)# exit

    Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets to the internal DHCP server, and to access the default gateway of VLAN 10 (IP address 192.168.10.1). These commands also configure the Switch to forward ARP packets to external destinations.

(d) Prohibit communication between VLAN

Points to note

Filter traffic between the pre-authentication and post-authentication VLANs.

Command examples

  1. (config)# ip access-list extended 110

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

    (config-ext-nacl)# deny ip any any

    (config-ext-nacl)# exit

    (config)# interface vlan 10

    (config-if)# ip access-group 110 in

    (config-if)# exit

  2. (config)# ip access-list extended 150

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.50.100 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit udp host 192.168.50.100 any eq bootpc

    (config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255

    (config-ext-nacl)# deny ip any any

    (config-ext-nacl)# exit

    (config)# interface vlan 50

    (config-if)# ip access-group 150 in

    (config-if)# exit

    Configures the switch to block communication between the pre-authentication VLAN and the post-authentication VLAN.

(e) Configuration of Web authentication

Points to note

Enable Web authentication by using configuration commands.

Command examples

  1. (config)# web-authentication ip address 10.10.10.1

    Sets the Web authentication IP address (IPv4 address).

  2. (config)# web-authentication system-auth-control

    Starts Web authentication.

(2) Basic settings for RADIUS authentication method

The figure below shows the basic configuration required to use RADIUS authentication. Note that the terminal obtains its IP address from the internal DHCP server prior to authentication and from an external DHCP server after authentication.

This configuration includes putting a filter in place that prohibits communication between the pre-authentication VLAN and the post-authentication VLAN.

Figure 9-5: Basic configuration of RADIUS authentication-method for dynamic VLAN

[Figure Data]

(a) Configuring Authentication Ports

Points to note

Configure the port to be used for Web authentication.

Command examples

  1. (config)# interface gigabitethernet 1/0/4

    (config-if)# switchport mode mac-vlan

    (config-if)# switchport mac native vlan 10

    (config-if)# web-authentication port

    (config-if)# exit

    Assigns a MAC VLAN and configures Web authentication at a port where terminals will be authenticated.

  2. (config)# interface range gigabitethernet 1/0/9-10

    (config-if-range)# switchport mode access

    (config-if-range)# switchport access vlan 50

    (config-if-range)# exit

    Specifies the access port of the network accessed after authentication.

(b) IP addressing for VLAN interfaces

Points to note

Assign IP addresses to the pre-authentication and post-authentication VLANs.

Command examples

  1. (config)# interface vlan 10

    (config-if)# ip address 192.168.10.254 255.255.255.0

    (config-if)# exit

    (config)# interface vlan 50

    (config-if)# ip address 192.168.50.254 255.255.255.0

    (config-if)# exit

    Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.

(c) Configuring Authentication-Only IPv4 Access Lists

Points to note

Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.

Command examples

  1. (config)# ip access-list extended 100

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit ip host 192.168.10.0 host 192.168.10.1

    (config-ext-nacl)# exit

    (config)# interface gigabitethernet 1/0/4

    (config-if)# authentication ip access-group 100

    (config-if)# authentication arp-relay

    (config-if)# exit

    Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets to the internal DHCP server and to access the default gateway of VLAN 10 (IP address 192.168.10.1). These commands also configure the Switch to forward ARP packets to external destinations.

(d) Prohibit communication between VLAN

Points to note

Filter traffic between the pre-authentication and post-authentication VLANs.

Command examples

  1. (config)# ip access-list extended 110

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

    (config-ext-nacl)# deny ip any any

    (config-ext-nacl)# exit

    (config)# interface vlan 10

    (config-if)# ip access-group 110 in

    (config-if)# exit

  2. (config)# ip access-list extended 150

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.50.100 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit udp host 192.168.50.100 any eq bootpc

    (config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255

    (config-ext-nacl)# deny ip any any

    (config-ext-nacl)# exit

    (config)# interface vlan 50

    (config-if)# ip access-group 150 in

    (config-if)# exit

    Configures the switch to block communication between the pre-authentication VLAN and the post-authentication VLAN.

(e) Configuration of Web authentication

Points to note

Enable Web authentication by using configuration commands.

Command examples

  1. (config)# web-authentication ip address 10.10.10.1

    Sets the Web authentication IP address (IPv4 address).

  2. (config)# aaa authentication web-authentication default group radius

    (config)# web-authentication radius-server host 192.168.10.200 key "webauth"

    Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.

  3. (config)# web-authentication system-auth-control

    Starts Web authentication.

(3) RADIUS authentication method + setting when using external DHCP servers prior to authentication

The figure below describes the basic configuration required to use RADIUS authentication in an environment where terminals obtain IP addresses from external DHCP servers before and after authentication.

This configuration includes putting a filter in place that prohibits communication between the pre-authentication VLAN and the post-authentication VLAN.

Figure 9-6: Configuration when using RADIUS authentication-method and external DHCP servers for dynamic VLAN

[Figure Data]

(a) Configuring Authentication Ports

Points to note

Configure the port to be used for Web authentication.

Command examples

  1. (config)# interface gigabitethernet 1/0/4

    (config-if)# switchport mode mac-vlan

    (config-if)# switchport mac native vlan 10

    (config-if)# web-authentication port

    (config-if)# exit

    Assigns a MAC VLAN and configures Web authentication at a port where terminals will be authenticated.

  2. (config)# interface range gigabitethernet 1/0/9-10

    (config-if-range)# switchport mode access

    (config-if-range)# switchport access vlan 50

    (config-if-range)# exit

    Specifies the access port of the network accessed after authentication.

(b) IP addressing for VLAN interfaces

Points to note

Assign IP addresses to the pre-authentication and post-authentication VLANs.

Command examples

  1. (config)# interface vlan 10

    (config-if)# ip address 192.168.10.254 255.255.255.0

    (config-if)# exit

    (config)# interface vlan 50

    (config-if)# ip address 192.168.50.254 255.255.255.0

    (config-if)# exit

    Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.

(c) Configuring Authentication-Only IPv4 Access Lists

Points to note

Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.

Command examples

  1. (config)# ip access-list extended 100

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.100 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit ip host 192.168.10.0 host 192.168.10.1

    (config-ext-nacl)# exit

    (config)# interface gigabitethernet 1/0/4

    (config-if)# authentication ip access-group 100

    (config-if)# authentication arp-relay

    (config-if)# exit

    Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets to an external DHCP server and to access the default gateway of VLAN 10 (IP address 192.168.10.1). These commands also configure the Switch to forward ARP packets to external destinations.

(d) Prohibit communication between VLAN

Points to note

Filter traffic between the pre-authentication and post-authentication VLANs.

Command examples

  1. (config)# ip access-list extended 110

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit udp host 192.168.10.100 any eq bootpc

    (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

    (config-ext-nacl)# deny ip any any

    (config-ext-nacl)# exit

    (config)# interface vlan 10

    (config-if)# ip access-group 110 in

    (config-if)# exit

  2. (config)# ip access-list extended 150

    (config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.50.100 eq bootps

    (config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

    (config-ext-nacl)# permit udp host 192.168.50.100 any eq bootpc

    (config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255

    (config-ext-nacl)# deny ip any any

    (config-ext-nacl)# exit

    (config)# interface vlan 50

    (config-if)# ip access-group 150 in

    (config-if)# exit

    Configures the switch to block communication between the pre-authentication VLAN and the post-authentication VLAN.

(e) Configuration of Web authentication

Points to note

Enable Web authentication by using configuration commands.

Command examples

  1. (config)# web-authentication ip address 10.10.10.1

    Sets the Web authentication IP address (IPv4 address).

  2. (config)# aaa authentication web-authentication default group radius

    (config)# web-authentication radius-server host 192.168.10.200 key "webauth"

    Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.

  3. (config)# web-authentication system-auth-control

    Starts Web authentication.

[Product name label]

All Rights Reserved, Copyright(C), 2022, 2023, ALAXALA Networks, Corp.