Dynamic VLAN configuration in networking is a method where the VLAN to which a device belongs is determined dynamically based on certain parameters, typically the user-ID, device-ID or MAC address of the device/s. This is different from static VLAN configuration, where network administrators manually assign switch ports to VLANs.
In dynamic VLAN configuration, a VLAN Membership Policy is provided by a centralized server - Radius/Server (VMPS). This Radius/Policy server authenticate a request based on the user-ID, device-ID or MAC address of the device connected to the port and supply the following basis attributes:
- Tunnel-Type (value 13 = VLAN),
- Tunnel-Medium-Type (value 6 = IEEE 802),
- Tunnel-Private-Group-ID (value VLANID as a string)
for a port dynamically. When a device moves from a port on one switch in the network to a port on another switch in the network, the new switch dynamically assigns the new port to the proper VLAN for that device.
The VMPS server listens to VLAN Query Protocol (VQP) requests from clients and searches its database for an entry of a user-ID, device-ID or MAC-address to VLAN mapping. Upon receiving a valid request from a VMPS client, the VMPS server takes one of the following actions:
- If the assigned VLAN is restricted to a group of ports, the VMPS verifies the requesting port against this group and responds as follows:
- If the VLAN is allowed on the port, the VMPS sends the VLAN name to the client in response.
- If the VLAN is not allowed on the port and the VMPS is not in secure mode, the VMPS sends an “access-denied” response.
Dynamic VLAN assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics. The flow of traffic between those VLANs is governed by a L3 switch, routing or firewall device which can then enforce specific network access rules.
Dynamic VLAN assignment is an excellent technique used to build on the underlying core strategy to control network access4. It builds on the use of RADIUS to control access to the network.
To configure dynamic VLAN in a wireless network, you need to meet the following prerequisites:
- Have basic knowledge of the Ray device configuration.
- Have functional knowledge of the AAA/Radius/NPS server.
- Have thorough knowledge of wireless networks and wireless security issues.
- NPS should be functional and Ray access points must be added as client on NPS. For detailed steps, follow the below KB:
https://support.ray.life/en/support/solutions/articles/81000407441-how-to-setup-nps-on-active-directory
Ray provides detailed steps on how to configure dynamic VLAN membership in below:
- Create Radius server:
- Goto Particular Cluster where you want to add Radius server. It can be a root cluster or a child cluster depending on the network architecture.
- Goto Profiles
- Radius
- Click on Create Radius button and add a server and save.
Create New WLAN profile for configure Dynamic VLAN on Ray Devices:
- Goto Profiles
- Select WLAN
- Click on button "Create WLAN"
- Select Definition Type: "Open/Password/Enterprise".
- Goto -->> Security
- Security Mode = Enterprise Authentication
- Radius Profile = Radius Server which is created earlier
- Encryption = WPA2 (It should be same which is configured on Radius Server)
- Goto -->> Network Interfaces:
- Gateway = Keep it blank
- Bridge + Firewall = Default WAN for Bridge and Client Mode
- Bridge No Firewall = Default WAN for Bridge and Client Mode
- Save the profile.
- Now publish the profile for particular cluster by selecting:
- Single Selection
- Choosing Cluster name
- Click on Publish
- Goto Jobs and wait until all new jobs gets finished successfully.
- Goto -->> Security
Please note that configuring Dynamic VLANs requires specific knowledge and understanding of your network infrastructure and the devices connected to it.