Access Control Concepts
Network Access Control Technologies
A network typically includes VLANs such as these:
■Management VLAN—This type of VLAN includes the IP addresses on infrastructure devices through which you manage and configure those devices. It may also include the endpoints which network administrators use to access the infrastructures devices. On ProCurve devices, you can enable a Secure Management VLAN, which does not allow traffic to be routed in or out of it.
■Default VLAN—This VLAN includes all devices connected to ports not specifically assigned to another VLAN. If you implement network access control on all ports, you do not need to worry as much about securing the default VLAN. A method such as 802.1X prevents rogue users from con- necting to unprotected ports.
N o t e | Sometimes the management VLAN is also the default VLAN; you should |
| give the management VLAN a new ID to protect access to your network |
| devices. |
| |
■Unauthorized VLAN—In a network that implements port access con- trol, the unauthorized VLAN fulfills some of the roles of a default VLAN. It is the VLAN into which users that fail authentication are placed, and is therefore sometimes called the guest VLAN. The unauthorized VLAN might allow access to the Internet or a limited list of private resources.
■User VLANs—These VLANs include end-user devices. Best practices dictate that you group end-users together according to resources and rights that they require. For example, a network administrator at a hospi- tal might place all nurses and doctors in VLAN 16, subnet 10.1.16.0/22. The administrator can then create ACLs to allow traffic from that subnet to a database of patient information.
■Server VLANs—These VLANs include servers and databases. Again, it is easier to set up access controls when resources necessary to a particular group are placed in the same VLAN. For example, the hospital network administrator could group all databases that store patient information in VLAN 6 and allow communication between VLAN 6 and VLAN 16. Of course some servers, such as DHCP and DNS servers, might handle requests from several VLANs.
Of these types of VLANs, often only the user and perhaps management VLANs are set up dynamically. In a large or complicated network, you should strongly consider a solution such as IDM, which helps you quickly configure dynamic VLAN settings on all of your RADIUS servers. (See “ProCurve IDM” on page 1-58.)