9.1.3 Configuring Dynamic VLAN
- <Structure of this section>
(1) Basic settings for the local authentication method
The figure below shows the basic configuration required to use local authentication. Note that the terminal obtains its IP address from the internal DHCP server prior to authentication and from an external DHCP server after authentication.
This configuration includes putting a filter in place that prohibits communication between the pre-authentication VLAN and the post-authentication VLAN.
|
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 10
(config-if)# web-authentication port
(config-if)# exit
Assigns a MAC VLAN and configures Web authentication at a port where terminals will be authenticated.
-
(config)# interface range gigabitethernet 1/0/9-10
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 50
(config-if-range)# exit
Specifies the access port of the network accessed after authentication.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign IP addresses to the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
(config)# interface vlan 50
(config-if)# ip address 192.168.50.254 255.255.255.0
(config-if)# exit
Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.
(c) Configuring Authentication-Only IPv4 Access Lists
- Points to note
-
Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit ip host 192.168.10.0 host 192.168.10.1
(config-ext-nacl)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# authentication ip access-group 100
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets to the internal DHCP server, and to access the default gateway of VLAN 10 (IP address 192.168.10.1). These commands also configure the Switch to forward ARP packets to external destinations.
(d) Prohibit communication between VLAN
- Points to note
-
Filter traffic between the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# ip access-list extended 110
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 10
(config-if)# ip access-group 110 in
(config-if)# exit
-
(config)# ip access-list extended 150
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.50.100 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit udp host 192.168.50.100 any eq bootpc
(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 50
(config-if)# ip access-group 150 in
(config-if)# exit
Configures the switch to block communication between the pre-authentication VLAN and the post-authentication VLAN.
(e) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication ip address 10.10.10.1
Sets the Web authentication IP address (IPv4 address).
-
(config)# web-authentication system-auth-control
Starts Web authentication.
(2) Basic settings for RADIUS authentication method
The figure below shows the basic configuration required to use RADIUS authentication. Note that the terminal obtains its IP address from the internal DHCP server prior to authentication and from an external DHCP server after authentication.
This configuration includes putting a filter in place that prohibits communication between the pre-authentication VLAN and the post-authentication VLAN.
|
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 10
(config-if)# web-authentication port
(config-if)# exit
Assigns a MAC VLAN and configures Web authentication at a port where terminals will be authenticated.
-
(config)# interface range gigabitethernet 1/0/9-10
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 50
(config-if-range)# exit
Specifies the access port of the network accessed after authentication.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign IP addresses to the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
(config)# interface vlan 50
(config-if)# ip address 192.168.50.254 255.255.255.0
(config-if)# exit
Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.
(c) Configuring Authentication-Only IPv4 Access Lists
- Points to note
-
Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit ip host 192.168.10.0 host 192.168.10.1
(config-ext-nacl)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# authentication ip access-group 100
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets to the internal DHCP server and to access the default gateway of VLAN 10 (IP address 192.168.10.1). These commands also configure the Switch to forward ARP packets to external destinations.
(d) Prohibit communication between VLAN
- Points to note
-
Filter traffic between the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# ip access-list extended 110
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 10
(config-if)# ip access-group 110 in
(config-if)# exit
-
(config)# ip access-list extended 150
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.50.100 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit udp host 192.168.50.100 any eq bootpc
(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 50
(config-if)# ip access-group 150 in
(config-if)# exit
Configures the switch to block communication between the pre-authentication VLAN and the post-authentication VLAN.
(e) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication ip address 10.10.10.1
Sets the Web authentication IP address (IPv4 address).
-
(config)# aaa authentication web-authentication default group radius
(config)# web-authentication radius-server host 192.168.10.200 key "webauth"
Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
-
(config)# web-authentication system-auth-control
Starts Web authentication.
(3) RADIUS authentication method + setting when using external DHCP servers prior to authentication
The figure below describes the basic configuration required to use RADIUS authentication in an environment where terminals obtain IP addresses from external DHCP servers before and after authentication.
This configuration includes putting a filter in place that prohibits communication between the pre-authentication VLAN and the post-authentication VLAN.
|
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 10
(config-if)# web-authentication port
(config-if)# exit
Assigns a MAC VLAN and configures Web authentication at a port where terminals will be authenticated.
-
(config)# interface range gigabitethernet 1/0/9-10
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 50
(config-if-range)# exit
Specifies the access port of the network accessed after authentication.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign IP addresses to the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
(config)# interface vlan 50
(config-if)# ip address 192.168.50.254 255.255.255.0
(config-if)# exit
Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.
(c) Configuring Authentication-Only IPv4 Access Lists
- Points to note
-
Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.100 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit ip host 192.168.10.0 host 192.168.10.1
(config-ext-nacl)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# authentication ip access-group 100
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets to an external DHCP server and to access the default gateway of VLAN 10 (IP address 192.168.10.1). These commands also configure the Switch to forward ARP packets to external destinations.
(d) Prohibit communication between VLAN
- Points to note
-
Filter traffic between the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# ip access-list extended 110
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit udp host 192.168.10.100 any eq bootpc
(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 10
(config-if)# ip access-group 110 in
(config-if)# exit
-
(config)# ip access-list extended 150
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.50.100 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit udp host 192.168.50.100 any eq bootpc
(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 50
(config-if)# ip access-group 150 in
(config-if)# exit
Configures the switch to block communication between the pre-authentication VLAN and the post-authentication VLAN.
(e) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication ip address 10.10.10.1
Sets the Web authentication IP address (IPv4 address).
-
(config)# aaa authentication web-authentication default group radius
(config)# web-authentication radius-server host 192.168.10.200 key "webauth"
Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
-
(config)# web-authentication system-auth-control
Starts Web authentication.