How do you have your network access control setup? Do you only have certain ports that they can plug into which are on that VLAN, or do you have a specific software or hardware solution?
I enabled 802.1X authentication on ALL the computers and on the switches.
Background: My sites are connected together via WAN links. Each site is its own Subnet & its own VLAN. My core-switch routes all these VLANs together and routes the traffic between them.
The Guest VLAN is isolated in that it is NOT routed to/from any of the other VLANS.
I have a Couple Windows 2008 R2 Network Policy Servers (NPS) running RADIUS against Active Directory. The computers themselves logon to Active Directory AND authenticate via 802.1x if they are our computers (joined to our domain)... That connects them to their VLAN. When a user logs on, he or she is also authenticated via 802.1x.
If a rogue device (i.e. an outside computer) gets plugged into our network, it will NOT be able to authenticate its computer account in Active Directory via RADIUS by way of 802.1x. Any one of our 237 network switches that it is plugged into will stick that device in a separated (isolated guest) VLAN automatically.
The Guest VLAN allows:
1. Access to certain printers for use by outside contractors
2. Access to the Internet (unfiltered for content)
3. Access to PXE Boot & Scripted Installs of Operating Systems (i.e. If one of our machines is broken it won't be able to authenticate to its own VLAN).
4. Access to be able to Join our Domain. (This facility has to be allowed to get computers to authenticate).
5. Monitored by IPS (Intrusion Protection System). If failure occurs, network port computer is connected to goes into blocking mode until the link is re-established or 24 hours.
The Regular VLANS:
1. Printing to their site printers (they can't see other site printers)
2. Servers, Other Computers regardless of VLAN/Site
3. Lightly filtered Internet
4. No rights to the management IP addresses of Switches
5. No ability to get into iSCSI or the back-end of the SANs
6. No Ability to get into VMWare Management of ESX
7. Cannot see Guest VLAN
8. Cannot see IT/Managmeent VLAN
8. Monitored by IPS (Intrusion protection System... If failure occurs, drops computer to the Guest VLAN).
Management VLAN (for IT):
1. Any printers, servers, computers regardless of VLAN
2. Lightly Filtered Internet with a button to override any blocked content.
3. Can manage VMWare, Switches, Network Devices
4. Can see ALL VLANs
5. Can even connect to the iSCSI VLAN of the SANs
6. Can Manage VMWare
7. Intrusion Protection System does logging only.
iSCSI VLAN (for SAN):
1. Connects the VMWAre Physical Hosts to the LUNs on the SANs
2. ALL data to storage/from storage in vCenter goes from/to the SAN via iSCSI
3. Prevents anyone with an iSCSI client from being able to attempt to connect to iSCSI. Without this VLAN, with proper credentials, you could mount a drive via the built-in iSCSI client.
OUTSIDE VLAN:
1. This VLAN is connected directly to totally unfiltered Internet. There is no firewall at all. In fact, you could ping it from home (if I assigned it an IP address).
Our Firewall, a Cisco ASA, has an INSIDE and an OUTSIDE port. Most people connect the inside to their switch and the outside to the Internet and call it good.
What I did is connect the ASA INSIDE to the switch, and I connected the ASA OUTSIDE to this special VLAN that is totally isolated even from the IT VLAN. Another port on this OUTSIDE VLAN actually does go to the outside world.
If I ever want to assign to the outside VLAN (I never have), they would be connected directly to the Internet without the firewall. They would not be able to access anything at all except the Internet. In fact, they would be given an Internet IP to Gigabit Internet. Yeah, that's 1000 mbps to the Intenet.
