Abstract
On occasion a non-employee will need to connect their laptop to our ethernet network, which begs the question, “How do we allow customers to access our network while protecting our workstations?”
The short answer is that we use a combination of VMPS-capable switches, VMPS software, VLANs, DNS, and DHCP. And, of course, reasonably stringent firewall rules.
We are a Software Services company, and at any given moment 40% of the 200-odd people in our San Francisco office are not employees. Of those 80 people, 98% of them can access the guest WiFi network without a problem. There are, however, the remaining 2% who, for whatever reason (their WiFi chipset doesn’t interoperate well with our WiFi Access Points, their wireless is broken, they’ve accidentally deleted their drivers, etc…) cannot connect to the WiFi. They need to access the Internet, and they can only use ethernet.
We want to give our guests ethernet connectivity when needed, but not in such a way that it jeopardizes the security of our workstations.
Audience
This article is directed to IT organizations
- That have smart switches that are VMPS-capable
- That have *NIX-based DNS & DHCP servers
- That have guests that need need ethernet access
- That have a requirement to quarantine their guests’ machines
- That are willing to record the MAC address of every device on their network (i.e. not their guests’ devices, just their own)
Steps
These are the steps to go through.
First, we assume you have already set up your VLANS, and have entered them into your ethernet switch(es). These are our VLANs (note: the IP addresses and subnet masks are simplified for purposes of our discussion):
VLAN Name IP
1 default 10.0.1.0/24
2 SERVER 10.0.2.0/24
3 PAIRING_DMZ 10.0.3.0/24
4 VOIP 10.0.4.0/24
5 PIVOTAL_WIFI 10.0.5.0/24
6 PIVOTAL_GUEST 10.0.6.0/24
7 SECURITY 10.0.7.0/24
8 COMMON 10.0.8.0/24
Note VLAN 6 (PIVOTAL_GUEST); this is the VLAN we’ll use to quarantine our guests.
Secondly, you’ll need to configure your switches. In our case, we have Cisco 2960G 48-port switches, which requires enabling both VTP and VMPS.
We’ll need to configure one switch as the VTP server, and the remaining switches as the VTP clients. We used the following commands to configure the server:
sw-00#config term
Enter configuration commands, one per line. End with CNTL/Z.
sw-00(config)#vtp mode server
sw-00(config)#vtp version 2
sw-00(config)#vtp domain sf.pivotallabs.com
sw-00(config)#vmps server 10.0.1.16 primary
sw-00(config)#end
You’ll need to configure the remaining switches as follows:
sw-01#config term
Enter configuration commands, one per line. End with CNTL/Z.
sw-01(config)#vtp mode client
sw-01(config)#vmps retry 5
sw-01(config)#vmps server 10.0.1.16 primary
sw-01(config)#end
Then you’ll need to set up your VMPS server on your *NIX box:
- The VMPS server must be reachable from every switch on the network. In our case, we decided to run the VMPS daemon on our DNS/DHCP server (10.0.1.16).
- We used Dori Seliskar’s OpenVMPS. It installed fairly easily on our FreeBSD 8.3 machine.
The commands to install:
curl -L http://sourceforge.net/projects/vmps/files/latest/download | tar xzvf -
cd vmpsd-1.4.04
bash configure
make
sudo make install
VMPS Server Configuration
We replaced the VMPS server configuration file (/usr/local/etc/vlan.db) with the following (truncated (we only show 8 address records of the full 381) and edited for readability):
vmps domain sf.pivotallabs.com
vmps mode open
vmps fallback PIVOTAL_GUEST
vmps no-domain-req deny
vmps-mac-addrs
! address <addr> vlan-name <vlan_name> ! comment
address 0022.4d6b.dead vlan-name SECURITY ! nvr
address 3c07.545c.beef vlan-name CUST_2 ! bartol
address 001f.f352.dead vlan-name default ! adair
address c82a.1414.beef vlan-name PAIRING_DMZ ! aerial
address f0de.f134.dead vlan-name FINANCE ! bill-thinkpad
address 001b.781d.beef vlan-name COMMON ! goldfinger
address 0004.f234.dead vlan-name VOIP ! voip-ash
The important things to note about this file are the following:
- You should customize the VMPS domain (i.e. sf.pivotallabs.com) to match your site. It must also match the VTP domain configured on your switches. You are not required to use DNS domain-format.
- The fallback PIVOTAL_GUEST directive is crucial: it shunts all unrecognized MAC addresses onto the PIVOTAL_GUEST VLAN.
- The VLANs (e.g. PIVOTAL_GUEST, VOIP, COMMON) must be defined on the switches; use the IOS command show vlan to determine which VLANs have been defined.
- The MAC addresses are in Cisco notation (e.g. c82a.1414.beef) not IEEE 802 notation (e.g. c8:2a:14:14:be:ef).
- An exclamation mark (”!“) and everything following it are ignored (i.e. used for comments).
- We do not record the MAC addresses of our WiFi clients; by connecting to the WiFi they are automatically restricted to the appropriate VLAN (PIVOTAL_WIFI in the case of employees, PIVOTAL_GUEST in the case of guests).
Customizations
We additionally did the following:
- wrote a start-up script so that the vmpsd daemon would start on reboot
- wrote a script which created the vlan.db based on the MAC addresses culled from our DHCP tables
- modified our Makefile (we use make to build our DNS & DHCP files) to include the building of our VMPS file (vlan.db)
Gotchas
- Treat your vlan.db file with care. On the second day of our roll-out, we accidentally truncated our vlan.db file. The effect was the a subset of people lost connectivity (their workstations had been shunted off to the guest VLAN, but retained the IP address from their previous VLAN (their DHCP lease had not expired). Net result: it was as if someone had yanked out their ethernet cable).
- Small desktop switches are unusable if two of the devices on the switch are on different VLANs. For example, we plugged an IP Phone (VLAN 4, VOIP) and a Mac Mini (VLAN 1, PIVOTAL) into the same desktop switch, and made a phone call while doing a download. Our experience: the download would freeze while the phone conversation was fine. A few seconds later, the phone conversation would cut off while the download suddenly started up again. A few seconds after that, the phone call would resume and the download would freeze.
- Similarly, a user of virtualization software (e.g. VMware, VirtualBox, Xen, Linux KVM) who bridges (instead of NATs) their VM’s network interface will suffer as the ethernet switch ping-pongs their interface between the guest network and their normal network.
- This [solution] is not Fort Knox. For example, a canny hacker could clone a MAC address of one of our workstations and use that to access our network.
- It takes a fair amount of IT discipline to record the MAC address of every ethernet device.
Bibliography
Acknowledgements
I would like to thank Michael Sierchio for doing the lion’s share of the work, and Colin Deeb for fixing problems during the roll-out.
About the Author