Recently at TechEd Australia, New Zealand and Hong Kong I've been presenting on Network Access Protection using 802.1x dynamic Virtual LAN's (VLANs) and Cisco switches. I've done this before actually in my previous blogcasts doing NAP with IPSEC but I got feedback that IPSEC was all too hard - and in fact is quite difficult in Windows Server 2003 and Windows XP. Thankfully Vista and Windows Server 2008 IPSEC configuration is stacks easier but doesn't help existing large deployments of previous Windows platforms. VLAN'ing offers a great alternative to segmenting networks and is much easier to deploy aswell.
Of course with any infrastructure deployments there's things that must be considered such as security. In a VLAN'd environment what are the known attack scenarios? Heres one - and this effectively knocks out switching too. If I can potentially MAC flood your switch - which means that I send so many MAC addresses at a switch port that I flood the table beyond its capacity, then I effectively force the switch to being a hub. This means every packet gets sent to every port on the switch and effectively knocks out the VLANs. Cisco have written an article on this and how to prevent it by implementing port level security. Enabling this feature essentially places a limit on the number of MAC addresses a switch port will accept. Of course there are some scenarios where you want a switch port to take a lot of addresses such as a wireless access point connecting into it but even then it shouldn't be unlimited or beyond the reasonable amount of clients you expect to connect.
In this blogcast I've combined each segment that Ive made into a single 28min blogcast that covers the demo environment and shows you how to configure Network Access Protection from the server to the client and even the switch itself with a little bit of troubleshooting at the end. In fact I've shared the Cisco switch config below for your use!
So here it is!