I've been working on moving my (inherited) L2 campus to vrf-lite over the past year while deploying 802.1x at the same time. I had an idea that sounds good to me, but I'd like a sanity check on process.
Essentially I have several buildings that do L3 between them with several segregated entities occupying all buildings concurrently. I've implemented 802.1x wired on all the switching, and I'd like to move to dynamic vlaning. I have users that move between entity areas or even buildings all the time, and I'd love to be able to lock them into the right vrf dynamically and not need to worry about notifying IS for network moves.
So, it seems like my cisco switching will allow me to tag dynamic vlans based on the vlan name, not just the vlan id. As I'm not managing the AD/NPS infra, I'd like to keep that side of things simple for that group... just 1 policy per entity.
My plan is to just keep the same vlan name in different areas but keep the subnets and vlan IDs different and just let NPS assign them their vlan based on name. I feel like I'm not describing this well... here's the crux
Bldg 1
entity1 vrf bacon vlan 10 name bacon 192.168.1.0/24
entity 2 vrf cheddar vlan 11 name cheddar 192.168.2.0./24
entity 3 vrf ham vlan 12 name ham 192.168.3.0/24
Bldg 2
entity 1 vrf bacon vlan 20 name bacon 192.168.4.0/24
entity 2 vrf cheddar vlan 21 name cheddar 192.168.5.0/24
entity 3 vrf ham vlan 22 name ham 192.168.6.0/24
No comments:
Post a Comment