Campus Switching and Routing

Reply
Occasional Contributor II

VLAN pools on 2930F's

Hello all,

 

I'm currently working on a deployment of 2930F access switches with ClearPass wired policy enforcement. I've followed the PDF version 2018-1 and may have bumped into a limitation of the current 16.05 firmware.

 

To ensure scalability, all client subnets are sized upto 254 clients. Because some client types are above these limits we're adding more VLAN's and subnets to hold them. Hence I'm trying to dynamically enforce VLAN distribution in either a round robin or mac hash based fashion, similar to how ArubaOS works with VLAN pools. Since VLAN pools are not supported by the switches running 16.05 I feel I have two choices:

 

1. Increase subnet mask by a bit to account for extra clients in the same VLAN

2. Introduce a new user-role with a different VLAN-ID in the switch and let ClearPass load balance based on radius input

3. Wait for VLAN pooling to be introduced in the firmware? ;-)

 

Anybody had any experience on the matter and if so, how did you solve it for your use case?

 

I'm also curious which input I could use to balance VLAN's, while keeping the ClearPass config clean and easy to read. I'd prefer to balance based on client info, so it keeps getting appointed to the same subnet when reconnecting. Client mac-address seems like a sensible attribute to base this on.

Contributor I

Re: VLAN pools on 2930F's

I recently resolved a similair problem by applying NAMED-VLAN-A for switch members 1 and 2 and NAMED-VLAN-B for switch members 3 and 4. You can configure this with a connection "starts with" filter in clearpass.

 

Same solution you can apply for individual switches or device groups. Just make some logical groups and apply a different vlan to that groups from clearpass. This way you never exceed /24 subnets.

----------------------------------------------------------------------------------------
Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE
Occasional Contributor II

Re: VLAN pools on 2930F's

Hello Fabian,

 

Thank you for your input, this sounds like a reasonable solution!

 

After some port counting I've concluded that a VSF stack of 4 members with each 48 access ports can hold a max of 192 clients, unless a bridge/switch is used. This is probably a reason for VLAN pools to not be introduced yet on the switching side of things.

 

I will use a seperate VLAN-ID instead per stack, attached to the same user-role that is being sent from ClearPass.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: