-
Created by
Phil Benchoff, last updated on Aug 16, 2012
2 minute read
Planning for the user connection to the restricted access network.
Note: Access to the default VRF (open network) can be through the restricted access network to an end-point like a VPN or VM. Those situations are not covered here.
Facts
- The restricted access network will be a different VRF on the campus core network and it will be delivered to the user on a different VLAN than the normal building network.
- The Avaya telephones strip all 802.1q tags from the frames they forward to the attached computer. We can only deliver a single VLAN to the user port.
- The Avaya telephones are Unix systems with full access to all the traffic that passes through them. Appearances are that the phones are reasonably well designed and secure, but a compromised phone could monitor the data passing through it.
- The restricted access network could be delivered to a user via the telephone if the above risk is deemed to be acceptable. In this case, the user would have to access the default VRF via some other service provided by an endpoint in the restricted access network.
- PB: The security issues here do not give me any serious headaches.
- Important technical point: We do not know if the phone (which has to do 802.1x on the voice VLAN) will pass 802.1x traffic for the other VLAN to the computer port (which we would like to do on the restricted access network). This would be a requirement for providing access to the restricted access network via the phone. This would also create the additional requirement that the phone be able to do 802.1x authentication on the data VLAN. This will probably not work. Someone who knows a lot about 802.1x will have to answer these questions.
- PB: So, the conclusion is that we probably can not provide the restricted access network VLAN via a phone.
- PB: TL;DR we don't know if we could supply the restricted access network via the phone.
- On a port without a phone, we could deliver both the restricted access network and the default network.
- This will definitely work for a trunk port.
- This may work for an access port if we lie to the switch and tell it the restricted access network is the voice VLAN.
Policy Matters
- To be defined by Mr. Big.
Connection Scenarios
Works
- Default VLAN via phone and restricted access network via a different port (two NICS in host).
- Restricted access network via a dedicated port and default network access via some service on the restricted network.