Security

Reply
Frequent Contributor I

Critical vlan

For wired vlan ,

we have the cppm deployed geographically all over the world - 1 publisher and 5 subscribe.remote locations will be using the nearest subsrciber when we roll out  nac . in case of wan link issues or delays , is it ok to deploy critical vlan on cisco switches and hpe switches , is critical vlan supported on hpe switches ? do you have any sample config 

MVP Guru Elite

Re: Critical vlan

Yes, there is critical on HPE (Aruba) switches



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP

Re: Critical vlan

For Aruba you can use:

aaa port-access <port> critical-auth data-vlan <ID>

 

For HPE Comware you can use this per port:

mac-authentication critical vlan <ID>

dot1x critical vlan <ID>



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Frequent Contributor I

Re: Critical vlan

Can we use the data vlan as the critical vlan ?

 

We dont want to deploy or create another separate critical vlan

MVP Guru Elite

Re: Critical vlan


@cppmadmin wrote:

Can we use the data vlan as the critical vlan ?

 

We dont want to deploy or create another separate critical vlan


Yes, it is name of function ;)



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Frequent Contributor I

Re: Critical vlan

Ok Thanks for your feedback.

 

I have one more point .

 

Suppose our data vlan configured is vlan 10 on the access port .

 

What if we don’t define the critical vlan command  Dot1x critical vlan 10 And same time RADIUS Servers become unreachable .

 

Does it put the port into data vlan ( as it is configured statically on the port) ?? or will it put the port into the default vlan configured on the switch ( which in most cases is vlan 1 ) ?

 

The Point is what is the default behaviour of access port configured with data vlan without critical vlan configuration in case Radius becomes unreachable?

 

Highlighted

Re: Critical vlan

The use of critical vlan is to prevent a radius reject when the radius server becomes unavailble.

 

When the client is rejected, it is denied access, so won't fallback to any other configured vlan.

 

The default (untagged) vlan of the port is only applied when the radius server sends a radius-accept without any vlan attribute. 



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: