Dynamic VLAN / Sticky mac-address

[mertensseppe]

Hi all!

I am a student who is doing research around Alcatel switches. I have only experience in Cisco switches so i would love some help.

I am currently doing some research around dynamic vlan and sticky mac-addresses. And I was wondering if you guys could help me.

Within our company network we have wired computers that are in a Vlan together. Now it is intended that only company computers can access this Vlan, all other computers (from visitors or people with less good intentions) should be automatically sent to the guest Vlan.

I was thinking of Dynamic Vlan myself, but I would not know if this is possible. If this were possible, you can provide some information here and put me on my way.

As a second option, which is less appropriate but can serve as a temporary solution, I thought of sticky mac addresses. Is this possible to do and how can I do this easily, so that I do not have to configure each port separately. Can this be done automatically or in one go?

Thanks for your help!
Seppe

[silvio]

I will start with the second question: With port-security (LPS) feature you can do it. For example you can "convert-to-static" the actual successfull learned mac-address (the good one) to a fix entry at this port. This you can do for all the ports at the same time (port-range).

To allow only your domain computers to access the network you have two ways.
Mac-Addess-Authentication with a central Radius-Server where all your mac-addresses will be stored (f.e. within the AD).
Or (the best way) to use computer certificates. Create for all the good computers a certifate and store them at the computers. Than you have to activate access guardian with 802.1x authentication (the config within the switches is similar to mac-Auth.) against the radius-server (f.e. Windows Network policy server NPS).

For more infos, how to configure etc. look into the guides for the switches.
best regards
Silvio

[mertensseppe]

I will start with the second question: With port-security (LPS) feature you can do it. For example you can "convert-to-static" the actual successfull learned mac-address (the good one) to a fix entry at this port. This you can do for all the ports at the same time (port-range).

To allow only your domain computers to access the network you have two ways.
Mac-Addess-Authentication with a central Radius-Server where all your mac-addresses will be stored (f.e. within the AD).
Or (the best way) to use computer certificates. Create for all the good computers a certifate and store them at the computers. Than you have to activate access guardian with 802.1x authentication (the config within the switches is similar to mac-Auth.) against the radius-server (f.e. Windows Network policy server NPS).

For more infos, how to configure etc. look into the guides for the switches.
best regards
Silvio

Thank you very much you helped me alot!

[jglatorre]

I will start with the second question: With port-security (LPS) feature you can do it. For example you can "convert-to-static" the actual successfull learned mac-address (the good one) to a fix entry at this port. This you can do for all the ports at the same time (port-range).

To allow only your domain computers to access the network you have two ways.
Mac-Addess-Authentication with a central Radius-Server where all your mac-addresses will be stored (f.e. within the AD).
Or (the best way) to use computer certificates. Create for all the good computers a certifate and store them at the computers. Than you have to activate access guardian with 802.1x authentication (the config within the switches is similar to mac-Auth.) against the radius-server (f.e. Windows Network policy server NPS).

For more infos, how to configure etc. look into the guides for the switches.
best regards
Silvio

I will start with the second question: With port-security (LPS) feature you can do it. For example you can "convert-to-static" the actual successfull learned mac-address (the good one) to a fix entry at this port. This you can do for all the ports at the same time (port-range).

To allow only your domain computers to access the network you have two ways.
Mac-Addess-Authentication with a central Radius-Server where all your mac-addresses will be stored (f.e. within the AD).
Or (the best way) to use computer certificates. Create for all the good computers a certifate and store them at the computers. Than you have to activate access guardian with 802.1x authentication (the config within the switches is similar to mac-Auth.) against the radius-server (f.e. Windows Network policy server NPS).

For more infos, how to configure etc. look into the guides for the switches.
best regards
Silvio

Hello Silvio, Thank you for your reply, I thing I have the same issue, I probe with "convert-to-static" and is working so far, but I would like that the MAC-ADDRESS learning dynamically can be sticky to the port. Please let me know if there is any command to do it.

Best Regards.

[silvio]

would like that the MAC-ADDRESS learning dynamically can be sticky to the port. Please let me know if there is any command to do it.

this is the convert-to-static command. You can play with same special options (boot-up and no-aging) depending from your wishes.
BR Silvio

[jglatorre]

would like that the MAC-ADDRESS learning dynamically can be sticky to the port. Please let me know if there is any command to do it.

this is the convert-to-static command. You can play with same special options (boot-up and no-aging) depending from your wishes.
BR Silvio

Hello Thank you for ypur, I want to know how Can I find this option on the CLI:

Via WEB I follow these steps:

1. Login to the website Switch
2. Go to Security -> Port Security -> Configuration -> and Learn as a static

[silvio]

f.e. port-security learning-window 600 convert-to-static enable no-aging enable (boot-up enable)
play with ? at any point of the command to find it out. And have a look into the cli guide.