- Community Home
- >
- Networking
- >
- Wireless
- >
- M and MSM Series
- >
- MSM720, MSM430: dynamic VLAN for wireless users. S...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2013 05:23 AM
11-25-2013 05:23 AM
MSM720, MSM430: dynamic VLAN for wireless users. Sniffing, VLAN hopping, traffic capture
Hi,
could you please help me to find appropriate way to archieve the following:
Secure corporate traffic when dynamic VLANs are implemented.
I have the following configuration on one of the ports:
description "Wireless AP-01"
spanning-tree portfast
switchport trunk allowed vlan add 150,140
switchport trunk native vlan 20
The problem:
On VLAN140 (Guest VLAN, Tried ) employee non-business devices (VLAN150) and even on I can see (using Wireshark) VLAN20 traffic. IP addresses, ARP, DNS queries and etc. Firewall doesn’t allow communication, but that’s L3 limitation. How I can block L2 (they are mainly broadcasts, but STP,CDP information is transmitted as well!!!)
Currently MSM720 acts as DHCP relay, I get proper addresses (according to the VLAN properties RADIUS passes to it). I have tried using msm720 as DHCP server for Guests VLAN, got less VLAN20 traffic though, but still was able to see some, like IP addressing , macs and etc.
APs are discovered using internet ports of MSM720. Which has appropriate settings btw.
In general everything works, I just want to limit traffic that non-business and guest devices can see.
The best approach so far I can see is to put APs to the VLAN that is not used for any data (well that’s what Cisco recommends, right ?), and assign VLAN membership via RADIUS. Employee business devices: tag 20, Employee non-business tag 150 and etc.
The problem/confusion I ‘m experiencing is: if I put APs to the VLAN that is not used/not allowed to travers, how MSM720 will manage them? How to assign IP addresses?
One “crazy” idea is to use dot1.x port authentication for AP itself (management traffic), the question is, doesn’t it have EAP supplicant feature for this.
Or maybe I’m trying to invent bicycle here and people do have solution for this. Quite sure I’m not the first who needs to separate guest and business traffic.
P.S
Topology is a simplified version of the network, but it should give you an overall insight of the corporate network. Dynamic VLANs allow to use the same SSID for employee business and employee non business users. Guest network has different SSID.