Comware

 View Only

  • 1.  Incorporating MAC-based VLANs, RADIUS, GVRP, and ACLs - Best approach?

    Posted Feb 05, 2010 02:56 PM
    Hi All,

    I am in the process of redesigning the network at my company and would appreciate some suggestions on how to achieve my goals using HP ProCurve switches.

    My design calls for:
    - At least 30 VLANs/subnets (and growing), 14 edge switches, and 1 core switch.
    - Each VLAN needs to access the Internet, other specific VLANs (not all of them), and be accessible through VPN.
    - All VLANs will be assigned dynamically using a RADIUS server based on the host's MAC address (MAC-based authentication).

    Now, due to the amount of edge switches and the growing number of VLANs, I'm thinking about implementing GVRP for VLAN propagation, so I can ease the administration process. Also, I'm assuming that the best way to allow VLANs to see the Internet and specific VLANs is to implement ACLs either at the core switch or with RADIUS. The problem is that I've heard that GVRP and ACLs on the core switch don't work together; I think a way to overcome this is to handle the ACLs through the RADIUS server but... will that require all the edge switches to be Layer 3 with support for ACLs? That's going to get expensive!

    My idea was to go with HP ProCurve 2510G for my 14 edge switches and either a 2910al or 6600 for my core switch.

    What do you, guys, suggest as far as equipment and configuration?


  • 2.  RE: Incorporating MAC-based VLANs, RADIUS, GVRP, and ACLs - Best approach?

    Posted Feb 06, 2010 04:56 PM
    No you don't need 'Layer 3' switches to handle dynamic ACLs, the 2610 series of switches will use them just fine. Though it's worth noting that ACLs only apply on packets ingressing into the switch.

    GVRP and static port ACLs work just fine on all ProCurve switches. If they don't this is a defect and should be logged.. who's spreading this misinformation?

    I'd recommend against using 2510 series for this; especially when you're trying to use complex features such as these. They're essentially budget versions of the 2610s with a lot of software functionality stripped out. You will more than likely find a critical feature you need is missing on the 2510 series.

    On my previous employers network we distributed 76 VLANs to 200 2610 series and 400 2626 series switches via GVRP, using concurrent 802.1X+Mac-Auth to perform the assignment. The intermediary (distribution) switches were a mixture of 5300 and 5400zl switches with port ACLs on their downstream links (used to protect VRRP instances on the core), these then connected to 3*8200 series at the core which served as the GVRP advertisement root (i.e. where all the VLANs were statically defined).

    Your design will work, just don't skimp on the edge switches ;)


  • 3.  RE: Incorporating MAC-based VLANs, RADIUS, GVRP, and ACLs - Best approach?

    Posted Feb 09, 2010 06:19 PM
    Arran, Thank you for your response.

    The 2610s, as you suggest, do have a great set of features but unfortunately they are not Gigabit switches, which is a requirement I forgot to mention. So what would be my next Gigabit edge switch supporting dynamic ACLs, the 2910al?


Related Content