HPE Community
Aruba & ProVision-based
1752807 Members
6012 Online
108789 Solutions
New Discussion

ProCurve IDM VLAN's - How do they work in the real world?

 
UselessUser1
Contributor

‎07-13-2011 01:20 AM

‎07-13-2011 01:20 AM

ProCurve IDM VLAN's - How do they work in the real world?

Hi,

 

I have just been looking with interest at the ProCurve IDM suite... we already have PCM+ 3.2 and our network is fully HP ProCurve...

 

My query regards around the mobility of users and how this works in the real world... i.e. all the HP manuals I can find show a real basic example of two switches connected to a single routing device, with VLAN's pre-defined on both switches, and basically the switch reconfigures a port correctly based on the type of user logging on and applies ACL's etc...

 

But what about the real world and my scenario, where there are multiple layer 3 devices in multiple buildings... and therefore lots of seperate VLAN's...

 

So to put a concrete example down, say I have building A which contains the HR department, they are all on a single switch which has their ports in VLAN 150, IP range 172.16.2.0/24...

 

Now what happens if one user takes their laptop to an entirely different building where nothing has been defined? I think I am missing something pretty obvious in regards to how this functions, because I am sure IDM would not require you to create VLAN's in every single possible location a user could move to, otherwise you would have loads of replicated VLAN's!

0 Kudos
1 REPLY 1
Sietze Reitsma
Respected Contributor

‎07-21-2011 03:02 PM

‎07-21-2011 03:02 PM

Re: ProCurve IDM VLAN's - How do they work in the real world?

IDM supports location based Vlans. So per building you create (or PCM/IDM) vlans for specific groups. 

 

example: 

3 buildings and 3 user groups (HR, Marketing/Sales and IT Admin)

 

HR vlan 101 in bld A, 102 in bldg B and 102 in Bldg C

M/s vlan 201 in bld A, 202 in bldg B and 202 in Bldg C

IT Admin vlan 1001 in bld A, 1002 in bldg B and 1002 in Bldg C

IDM can easily make a policy per usergroup to make these rules dynamically work.

 

Maybe a better approach is to use dynamic ACLs

In that case you create only geographical Vlans

So vlan 10 in Building A, Vlan 20 in Building B and Vlan 30 in Building C

 

every user get from the radius server a building VLAN + dynamic ACL. This dynamic ACL grants the user to specifi resources like internet, HR application group etc.

 

Dynamic ACLs are easier to manage, because they are deployed per user.

 

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.