Controllerless Networks

Hi all -

I purchased an S2500-48P and having a bit of trouble with my planned configuration:

- pfSense router
- S2500 as my main switch
- An unmanaged switch with a few devices attached, one of which I'd like to assign VLAN 20

I attached a very basic diagram of what I had in mind.  For example, Device A in the diagram would just be assigned a default/no VLAN, but Device B would be assigned to VLAN 20.

I've tried going through the GUI and CLI to configure a user account with the MAC address as the username and password, as well as creating an AAA profile that uses MAC authentication and assigns them to VLAN 20.  I have 0/0/1 configured as a trunk with VLANs 1 and 20.  And that's basically where I get stuck.  I don't see the MAC showing up in the MAC addresses table at all in the GUI.

If there's more information I could provide, I'd be glad to.  Thank you!

------------------------------
Chris Driscoll
------------------------------

As the switch on 0/0/1 is an unmanaged switch, you should not add vlan 20 as tagged there.

Let me first advise against putting an unmanaged switch to the S2500 as you will lose a lot of visibility, performance and control to what is behind the unmanaged switch. It is better to connect each device directly to a managed switch, but I assume you are aware of that.

What the approach would be is that you don't configure any tagged vlans on the port, but you make the port untrusted and configured MAC authentication, in your case against the internal user database. In the internal database you configure the devices MAC addresses and assign a role to it. Those roles can have a vlan tied to it as well, which will then be assigned for that MAC. You can in this way have multiple VLANs on the same port, but there is a risk that because both vlans will be active on an unmanaged switch that devices can get access to the other vlan if they want to.

When a new MAC address connects, first the initial role will be applied. That role is recommended to provide no access at all, and add all devices you want ot allow access to the user database. But if you want to assign any device to VLAN 1, just not the devices you manually add for VLAN 20, you can allow the initial role to VLAN1 and configure l2-fallback authentication to leave devices that fail authentication in the initial role. Devices that do authenticate based on the MAC will get in the role's vlan, so vlan 20 for your specific device.

If you made the port 0/0/1 untrusted, you can also see with 'show user' which devices are on the port and which mac addresses they have.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 08, 2020 09:12 PM
From: Chris Driscoll
Subject: S2500-48P MAC-based VLAN

Hi all -

I purchased an S2500-48P and having a bit of trouble with my planned configuration:

- pfSense router
- S2500 as my main switch
- An unmanaged switch with a few devices attached, one of which I'd like to assign VLAN 20

I attached a very basic diagram of what I had in mind.  For example, Device A in the diagram would just be assigned a default/no VLAN, but Device B would be assigned to VLAN 20.

I've tried going through the GUI and CLI to configure a user account with the MAC address as the username and password, as well as creating an AAA profile that uses MAC authentication and assigns them to VLAN 20.  I have 0/0/1 configured as a trunk with VLANs 1 and 20.  And that's basically where I get stuck.  I don't see the MAC showing up in the MAC addresses table at all in the GUI.

If there's more information I could provide, I'd be glad to.  Thank you!

------------------------------
Chris Driscoll
------------------------------