As I wrote previously, I have been investigating the capabilities of our newly acquired Cisco switches.
Quite frankly, it’s Doing My Head In. And here’s why …
There are a number of things that we want the switch to support when we use it, namely:
- Ensure that no connectivity is provided to unknown devices which connect to the network (“No strangers”);
- Have support for two or more logical subgroups of ‘permitted’ devices, allowing them to be treated differently (e.g. have a “permanent” set of machines, a set of “permitted visitors” etc.);
As I described before, it looks like VMPS is a good way to achieve both of the above aims – it assigns known machines to the appropriate subgroup (subgroup == VLAN), and unknown machines to a separate subgroup which provides no access. So, VMPS looks great. The only problem is that it turns out our switch doesn’t support it properly. Our Cisco 4006 chassis has a Supervisor Engine II installed in it. This supports VMPS within a network of other switches, where one of the others is the VMPS master server. Our switch cannot be the master itself. This means that, with our existing kit, we cannot use VMPS. Which is a bit of a bugger.
A further problem is that I discovered that our switch actually doesn’t do Layer 3 routing. This means that in order for the separate subgroups to all speak to the outside world (desirable) we will need a separate router, which is an added complication. This is also a bit of a bugger.
The only saving grace in all this is that I have discovered how to tie known machines to specific ports on the switch (“port locking” i.e. specific network points in the offices). This would meet our “No strangers” condition, but wouldn’t give us much more flexibility.
So, how to fix this? Well, there are a couple of options as I see it:
- If we use the port-locking facility and then break up the ‘visitors’ into a separate physical LAN, we could do all the above. It would mean having an extra interface on the firewall and it would mean that the visitors would have to use nominated network points (and those same network points would be unavailable to normal staff). This is a secure, but inflexible solution;
- We use port-locking and manually assign ports to each VLAN, and buy a router. Not much more flexible than option 1, but would let us change which ports belong to which VLAN more easily (but still manually);
- Find a way to upgrade our Supervisor Engine II so that it can act as a VMPS server and a Layer 3 router – don’t know whether this is possible or not, and might be expensive if it is;
- We buy an additional switch which can act as both VMPS server and Layer 3 router. Given that we want to have some gigabit connectivity in the comms room, this might be a good solution (our original plan for the gigabit connectivity was to buy a gigabit blade for the Cisco 4006 switches). Something in the Cisco 6000-series might be suitable. Problem is, I think this may be expensive. However, as I currently understand things, this might be the best solution.
I feel slightly out of my depth on all this, because everything I know relating to these switches has basically been learnt in the last couple of weeks. The main area of confusion is that there are way too many models of switch with differing capabilities – documentation (at Cisco and elsewhere) and examples all relate to different bits of kit.
Comments and suggestions most welcome!
Ah, you’ve discovered the fun that is Cisco. There’s a reason why all the Cisco guys NEED those exams. There products are complex and need to be bought with care!
I’d ask on Nanog if I were you..assuming you don’t have a tame reseller. Either that or the people who provide support for the puppy – you have got a proper support contract for this haven’t you? This is proper kit that needs proper support..
PermalinkWe acquired this kit ‘for free’ from a head office giveaway, so there is no support contract. It’s not a case of ‘buying the wrong thing’, more a case of ‘figuring out what our freebie can actually do’.
PermalinkSorry, not suggesting it was, just saying it’s worth getting some expert help.
If it’s a giveaway the whoever looked afte it before might be worth contacting (unless of course that means talking to HO IT 😉
PermalinkIt was someone at HQ IT, yes 🙂
In fact, despite the fact that these Cisco switches have all sorts of management facilities, they have only ever used them in ‘unmanaged’ mode.
PermalinkYou can run VMPS on CatOS 7.2 and higher (see http://www.cisco.com/en/US/customer/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800d83fa.html )
Also see CatOS release notes such as http://www.cisco.com/en/US/products/hw/switches/ps663/prod_release_note09186a008007f07f.html
You can buy a layer 3 blade for a 4006 which runs IOS for around $3,500 (see: http://dexonc.fatcow.com/cgi-bin/shop.pl/SID=1109123781.21385/page=product.html/product=173 )
Look for part: WS-X4232-L3
Cheers, as you say.
PermalinkYes, thanks for that. As I mentioned in the next article, I did finally figure it all out.
Out of interest, how did you come to find my weblog?
PermalinkFrom your comment in Schneier’s blog posting about Hunter Thompson.
Permalink