Tuesday, June 22, 2021

Design advice for 802.1x authentication on wired ports

Goal: Looking to set up 802.1x authentication on the wired network. Machines and users granted full access is simple enough to configure, but we need to decide how we will be limiting access for non authenticated machines and users.

Topology: Two PAN 5050's in HA, two Nexus 7706 core routers with 3 VDC's (datacenter, admin, residential), 20 administrative buildings we are looking to deploy to. The administrative buildings are set up in a three-hierarchy of core, distribution, and access with distribution being within the buildings themselves.

Scenario: When a user fails authentication, we will segregate their network traffic via...

Options:

1) Trunked VLAN's all the way back to our firewall which has zoning capability. We already have a guest zone in place for our wireless users, so any new subnets trunked to the firewall for "guest" (or in this case, unauthenticated) users will just be placed into that zone. It goes against every principle we've learned in networking to plumb layer 2 from the edge through the core and up to our firewall, but visibility into the network has tremendous value.

2) Set up VLAN's in each building with access control lists at the SVI level. All visibility is lost, but the L2 domains are restricted to each building.

Thank you for the time in reading this, much appreciated



No comments:

Post a Comment