We'll respond shortly.
On occasion a non-employee will need to connect their laptop to our ethernet network, which begs the question, “How do we allow customers to access our network while protecting our workstations?”
We are a Software Services company, and at any given moment 40% of the 200-odd people in our San Francisco office are not employees. Of those 80 people, 98% of them can access the guest WiFi network without a problem. There are, however, the remaining 2% who, for whatever reason (their WiFi chipset doesn’t interoperate well with our WiFi Access Points, their wireless is broken, they’ve accidentally deleted their drivers, etc…) cannot connect to the WiFi. They need to access the Internet, and they can only use ethernet.
We want to give our guests ethernet connectivity when needed, but not in such a way that it jeopardizes the security of our workstations.
This article is directed to IT organizations
These are the steps to go through.
First, we assume you have already set up your VLANS, and have entered them into your ethernet switch(es). These are our VLANs (note: the IP addresses and subnet masks are simplified for purposes of our discussion):
VLAN Name IP 1 default 10.0.1.0/24 2 SERVER 10.0.2.0/24 3 PAIRING_DMZ 10.0.3.0/24 4 VOIP 10.0.4.0/24 5 PIVOTAL_WIFI 10.0.5.0/24 6 PIVOTAL_GUEST 10.0.6.0/24 7 SECURITY 10.0.7.0/24 8 COMMON 10.0.8.0/24
Note VLAN 6 (PIVOTAL_GUEST); this is the VLAN we’ll use to quarantine our guests.
Secondly, you’ll need to configure your switches. In our case, we have Cisco 2960G 48-port switches, which requires enabling both VTP and VMPS.
We’ll need to configure one switch as the VTP server, and the remaining switches as the VTP clients. We used the following commands to configure the server:
sw-00#config term Enter configuration commands, one per line. End with CNTL/Z. sw-00(config)#vtp mode server sw-00(config)#vtp version 2 sw-00(config)#vtp domain sf.pivotallabs.com sw-00(config)#vmps server 10.0.1.16 primary sw-00(config)#end
You’ll need to configure the remaining switches as follows:
sw-01#config term Enter configuration commands, one per line. End with CNTL/Z. sw-01(config)#vtp mode client sw-01(config)#vmps retry 5 sw-01(config)#vmps server 10.0.1.16 primary sw-01(config)#end
Then you’ll need to set up your VMPS server on your *NIX box:
The commands to install:
curl -L http://sourceforge.net/projects/vmps/files/latest/download | tar xzvf - cd vmpsd-1.4.04 bash configure make sudo make install
We replaced the VMPS server configuration file (/usr/local/etc/vlan.db) with the following (truncated (we only show 8 address records of the full 381) and edited for readability):
vmps domain sf.pivotallabs.com vmps mode open vmps fallback PIVOTAL_GUEST vmps no-domain-req deny vmps-mac-addrs ! address <addr> vlan-name <vlan_name> ! comment address 0022.4d6b.dead vlan-name SECURITY ! nvr address 3c07.545c.beef vlan-name CUST_2 ! bartol address 001f.f352.dead vlan-name default ! adair address c82a.1414.beef vlan-name PAIRING_DMZ ! aerial address f0de.f134.dead vlan-name FINANCE ! bill-thinkpad address 001b.781d.beef vlan-name COMMON ! goldfinger address 0004.f234.dead vlan-name VOIP ! voip-ash
The important things to note about this file are the following:
We additionally did the following:
I would like to thank Michael Sierchio for doing the lion’s share of the work, and Colin Deeb for fixing problems during the roll-out.