Re: Whats going to happen ? [7:41572] posted 04/17/2002
- Subject: Re: Whats going to happen ? [7:41572]
- From: "Irwan Hadi" <irwanhadi@xxxxxxxxx>
- Date: Tue, 16 Apr 2002 20:12:54 -0400
On Tue, Apr 16, 2002 at 05:53:42PM -0600, Michael L. Williams wrote:
> > The idea of doing MAC based VLAN is surely for security. I want that
> > computers that aren;t registered yet to have an IP in the 172.16.0.0
> > subnet, while computers which already registered will have a routable IP
> > address.
> > Right now unregistered computers can still use the routable IP address
> > by hard wired the IP address manually (not through DHCP), and this
> > creates a problem.
> You make a good point. But we must (as good design engineers =) keep the
> two things (VLAN membership, and security) separate and realize they can be
> dealt with separately.
> At that point, you could do port-based VLAN membership and then apply
> MAC-based port security. This would address your problem of "unregistered"
> computers still getting on the network as any MAC address not approved to
> use a specific port would cause the port to shutdown (and even cause HP
> Openview to receive and trap via SNMP and send a page if it's setup to).
> That way you can be paged as soon as an unauthorized PC attempts to access
> your network. =)
You're right, but in my case, I want that unregistered computer can
still access the internal network, but it will only get an unroutable IP
172.16.0.0, which means that although it can access internal network, it
can't access the Internet.
The only way this thing can be implemented is just by using MAC based
VLAN, I think (CMIIW).
Is there any other way though to do this ?
Anyway, I found a good link about this MAC based VLAN
This is about what the Univ of California at Berkeley was doing for its
resident network wiring in Summer 2001.
> Mike W.
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx