|
|
The User Registration Tool (URT) application can simplify your network management, but in order to use the application, you must already have your network set up to use VLANs and NT networking. These sections discuss the network requirements for using URT, and explains the benefits and planning considerations for deploying user registration in your network:
If you are currently using VLANs, and have a predominance of Windows 95, Windows 98, and Windows NT 4.0 clients running on a Microsoft Networking or Novell NetWare network running over TCP/IP, URT can simplify your VLAN management.
With URT, you can create VLAN policies based on NT user or group name, or NetWare user or organizational unit name, instead of the MAC address of the machine. Thus, a user can move from one machine to another and remain assigned to the appropriate VLAN and subnet. (This assumes that each machine is connected to a switch that supports URT.)
If the user has a mobile computer, such as a laptop, the user can connect to any supported switch port and also be connected to the correct VLAN and subnet. You must define the associated port as dynamic: if the port has a static VLAN assignment, URT does not override that assignment. (To change port state on the switch to dynamic, use the CWSI Campus UserTracking application available in CiscoWorks2000.)
You can only use URT with Windows 95, Windows 98, and Windows NT 4 clients on a Microsoft Networking or Novell NetWare network running over TCP/IP using the dynamic host control protocol (DHCP) to dynamically assign IP addresses. Windows 3.x, UNIX, Macintosh, and OS/2 clients, or non-TCP/IP networks, are not supported.
Note If a Windows 3.x user logs into the NT network, URT does not handle the logon. URT does not interfere with the user's normal NT logon, and you should see no networking problems for Windows 3.x users that are due to the presence of URT. You can use MAC adress-based VLANs with Windows 3.x, UNIX, Macintosh, and OS/2 clients; URT does not interfere in the operation of those clients.
After URT is installed and running on your NT or Novell Directory Services (NDS) domain, it intercepts user logons to the domain. Using the URT database (which is the ANI server used by CWSI Campus), the user is assigned to an appropriate VLAN and subnet, and the user automatically obtains a new IP address in the correct subnet from the DHCP server.
URT servers act as VLAN membership policy servers (VMPS), in server mode, for the switches in your network, replacing switch-based VMPS servers. (Switches must continue to run the VMPS client in order to communicate with the URT servers.)
While URT is switching the user to the mapped VLAN, users are placed in a logon VLAN that you define in URT. The logon VLAN functions as a default VLAN, so that any unmapped users can still obtain network connectivity. The logon VLAN ensures that URT does not prevent users from connecting to your network.
The URT logon process is transparent to the user. However, to manage user logon and logoff processes transparently, URT starts some services on the client machines. Users may notice that these services are running if they look at the Windows NT task manager, for example. But these services should not significantly affect the performance of the user's machine.
Also, users are only assigned to their associated VLAN if they are connecting to the network through a dynamic switch port. Table 1-1 shows the relationship between the URT VLAN mapping, the switch port state, and the resulting VLAN.
Table 1-1 How Users Are Placed in VLANs Using URT
| User Mapped to VLAN in URT? | Switch Port State | Resulting VLAN |
|---|---|---|
While URT is switching the user to the mapped VLAN, users are placed in a logon VLAN that is defined in URT. The logon VLAN functions as a default VLAN, so that any unmapped users can still obtain network connectivity. The logon VLAN ensures that URT does not prevent users from connecting to your network.
You can further protect your network by using more than one URT server to provide fault tolerance. By using more than one URT server, you ensure network connectivity even if a URT server becomes unavailable due to a system crash, reboot, or other failure on the server machine. To attain this fault tolerance, you must install more than one URT server, and alternate which URT server is used as the primary and secondary VMPS servers for the switches in your network. These considerations are discussed in greater detail in "Deploying User Registration in Your Network" and "Configuring the Switches to Use the URT Server as the VMPS Server" (in Chapter 5).
Note The failure of one URT server is not recognized by the switches for approximately five minutes. During this time, user logons through switches that use the failed server as the primary VMPS server fail until VMPS detects that the URT server is no longer available.
If all URT servers fail, users connected to switches that use the failed URT servers are placed in the default VLAN defined on the switch (for static ports), or the VLAN to which they are currently connected (for dynamic ports). If a user is connected to a dynamic port, and reboots (or initially turns on) their machine while all URT servers are down, that user will not be connected to any VLAN. This is the only case in which URT can prevent a user connection to the network.
This section describes the requirements your network must meet in order to install and use URT. These topics are covered:
In order for URT to place a user in the correct VLAN based on user name, the user's computer must be directly attached to a port on one of the switches listed in Table 1-2.
You must configure the VLAN membership for ports on these switches as dynamic. (URT tracks users on static ports, but does not dynamically place these users in a VLAN.) Use the CWSI Campus UserTracking application, or the switch's commands, to change port state.
Table 1-3 lists the products that you must have installed on your network in order to install and use URT.
Table 1-3 Prerequisites for Installing and Using URT
Table 1-4 lists the hardware and software required for installing and using URT.
Table 1-4 Hardware and Software Requirements for URT
This section explains the relationship between URT and these items in your network:
These sections contain detailed information:
Figure 1-1 shows an example of the various network elements required for user registration using URT. It shows the relationship between the required network resources and URT. This graphic is a generalization: you do not have to place all of these machines on the same network segment.
URT resides in these places in the network:
In order to dynamically assign users to VLANs based on user name, the URT server replaces the standard switch-based VMPS server.
Figure 1-2 shows what normally happens when you are using dynamic VLANs with switch-based VMPS servers .
In switch-based VMPS processing, the logon process follows this path when a user boots a workstation on a dynamic switch port (initially, the port is not in a VLAN):
1. The workstation broadcasts a DHCP request to the network.
2. Once the switch sees the first network packet coming through the port connected to the workstation, it queries the switch-based VMPS server to determine the appropriate VLAN for the workstation, based on the MAC address on the workstations network interface card.
3. The switch changes the VLAN on the port to the correct VLAN.
4. The switch forwards the DHCP reqest to the DHCP server.
5. The DHCP server leases an IP address to the workstation from the correct VLAN.
Figure 1-3 shows what happens when you insert URT into the VMPS picture.
With URT added to the network, the logon process follows this path:
1. The user is placed in the logon VLAN:
(a). The workstation broadcasts a DHCP request to the network.
(b). Once the switch sees the first network packet coming through the port connected to the workstation, it queries the URT server, which acts as the VMPS server, to determine the logon VLAN for the workstation. The logon VLAN is defined for the VTP domain in which the switch resides.
(c). The switch changes the VLAN on the port to the logon VLAN.
(d). The switch forwards the DHCP reqest to the DHCP server.
(e). The DHCP server leases an IP address to the workstation from the logon VLAN.
2. The user is placed in the mapped VLAN:
(a). The user logs onto the domain controller and the URT logon script is run.
(b). The URT client on the workstation sends a logon message to the URT server automatically.
(c). The URT server determines the correct VLAN for the user based on user, group, or organizational unit name assignments. If the switch port is not in the correct VLAN, the server sends a message to the switch to change the VLAN on the port. The server tells the URT client on the workstation whether the port needed to be changed.
(d). The switch changes the VLAN on the port to the correct VLAN, if necessary.
If the message from the URT server to the URT client indicates that the VLAN on the switch was not changed, URT logon processing is finished.
3. The user's IP address is changed based on the mapped VLAN:
(a). The URT client issues a DHCP release and renew request to the DHCP server.
(b). The DHCP server releases the old IP address and issues a new one to the workstation.
(c). The URT client on the workstation sends a logon message to the URT server.
(d). The URT server determines the correct VLAN for the user based on user, group, or organizational unit name assignments. If the switch port is not in the correct VLAN, the server sends a message to the switch to change the VLAN on the port. The server tells the URT client on the workstation whether the port needed to be changed.
(e). Unless you have changed the VLAN assignment for the user while the user was logging in, the correct VLAN is already set on the switch, and URT processing ends. If you have changed the VLAN assignment, then the switch changes the VLAN on the port to the correct VLAN, and step 3 is repeated.
Figure 1-4 shows what happens when a user logs off the network with URT installed:
With URT added to the network, the logoff process follows this path:
1. The workstation's switch port is placed in the logon VLAN:
(a). The user logs off the domain controller.
(b). The URT client on the workstation detects the logoff and sends a logoff message to the URT server.
(c). The URT server sends a message to the switch if the port is not already in the logon VLAN, and tells the URT client on the workstation whether the port needed to be changed.
(d). The switch changes the VLAN on the port to the logon VLAN, if necessary.
2. If the response from the URT server indicates that the VLAN on the port is changed, the URT client releases the workstation's IP address and requests a new one. The URT client repeats this release/renew procedure until the message from the URT server indicates that the VLAN on the port was not changed.
If the client is Windows NT and is using Microsoft Networking, and you have configured URT so that logged off clients do not maintain an IP address, the workstation does not ask the DHCP server for a new IP address after releasing its address.
If you support both Windows NT and Novell NetWare networking, you might have users with both NT and NDS user names. These users might also belong to a set of NT groups or NDS organizational units.
If a user has multiple logon names, it is possible for you to map a single user to multiple domains. However, it is not possible for a machine to be part of more than one VLAN at a time. If a user logs onto both Microsoft Networking and NetWare networks, URT uses whichever logon comes first to determine the VLAN.
This is how URT assigns VLANs based on your mappings for each type of logon:
(a). If the NDS user name is mapped to a VLAN, switch to the selected VLAN.
(b). Otherwise, if the user is a member of an NDS organizational unit that is mapped to a VLAN, switch to the unit's VLAN.
URT checks VLAN mappings for organizational units for the user from the unit that directly contains the user to successive units up the NDS tree. For example, if your organizational units for user Ken are Ken.California.USA.NorthAmerica, URT uses the mappings in this order: Ken, California, USA, NorthAmerica. In this example, the organizational unit California contains the user Ken; the unit USA contains California; the unit NorthAmerica contains USA.
(a). If the NT user name is mapped to a VLAN, switch to the selected VLAN.
(b). Otherwise, if the user's primary NT group is mapped to a VLAN, switch to the group's VLAN.
(c). Otherwise, if the user is a member of an NT group that is mapped to a VLAN, switch to the group's VLAN. (Choose the first group in the groups list, scanning from top to bottom, that has a VLAN mapping.)
If you do not map a user to a particular VLAN, the user is assigned a VLAN according to these rules:
URT can only switch users into VLANs if the user machines are directly connected to a supported switch. Because users connecting over serial lines are not connected to switches of the appropriate type, URT does not handle or otherwise affect these users. Their network connections will remain unchanged after you deploy URT in your network.
In URT, you can map a user to one VLAN per VTP domain. If you have separate VTP domains in each remote office, you can create an appropriate association for your mobile users for each office they are likely to visit.
If you do not create a specific association for each VTP domain for a mobile user, that user is placed in the URT logon VLAN when connecting to your network in a VTP domain that does not have a specific association. Alternately, if the user belongs to an NT group or NDS organizational unit that has a VLAN association in the domain, the user is placed in the VLAN defined for the group or unit.
You need to decide in which VTP domains a user should have a specific VLAN association. The logon VLAN you create for each VTP domain might be sufficient for your mobile users, in which case you will not need to create associations for each mobile user for every VTP domain.
If a user's machine is directly connected to a static switch port, that is, a port that is assigned to a specific VLAN, the user remains in the VLAN defined on the switch, even if you map the user to another VLAN in URT.
URT does not override static VLAN assignments on switch ports. However, URT does update the UserTracking tables in CWSI Campus with details about the user.
Before deploying URT in your network, you need to consider the following for placement of the URT servers:
You need to consider only two significant factors in designing your URT configuration:
Network traffic is not a major consideration. URT traffic will be heavy during normal user logon windows, but otherwise there will be very little URT traffic.
Cisco recommends that you follow these rules of thumb:
1. Do not allow logon traffic to cross WAN links. To limit the traffic to the local network, ensure that all switches on the local network point to local URT servers for use as VMPS servers.
2. Balance the VMPS load among the URT servers. To balance the load, ensure that only a portion of the switches in your network use a given URT server as the primary VMPS server. For example, if you have three URT servers, divide your switches into three groups, and assign each group a different URT server to use as the primary VMPS server. Use the other URT servers as secondary VMPS servers.
3. Install at least two URT servers per local network, preferably three URT servers. Having more than one server ensures that the failure of one URT server does not affect network logons. The more URT servers you have, the greater the fault tolerance.
4. If you have an exceptionally large number of users, consider adding more than three URT servers. Because you can only configure a switch to use three VMPS servers, not all switches will point to the same set of URT servers.
5. Do not configure the switches to use a mixture of URT servers and switch-resident VMPS servers. The switch-resident VMPS servers cannot have the same VLAN mappings as the URT servers, so you will not get consistent results on user logons if you mix these types of VMPS servers.
6. Do not use the management VLAN as the URT logon VLAN. The management VLAN includes the IP addresses of the switches, and is usually VLAN 1.
Figure 1-5 shows the recommended configuration for URT when used across a wide area network (WAN). Begin by installing three URT servers in each local network that has what you consider a moderately large or larger user base. Divide your switches into three groups, and make each URT server the primary VMPS server for one group of switches. Use the other URT servers as the secondary VMPS servers for each group of switches.
In smaller offices, install two URT servers (for fault tolerance), and divide the switches into two groups (if there is more than one switch).
For large offices, consider adding URT servers if you see a significant difference between logon time with URT installed compared to logon time without URT installed. With load balancing among the URT servers, URT should not have a significant impact on user logon time.
Through the use of VTP domains, VLANs, and URT, you can segment your network so that your users can only connect to the network in buildings (or other segments) in which they are authorized.
Consider a typical campus network as shown in Figure 1-6.
In this example, the switch management domains, or VTP domains, are VTP1, VTP2, and VTP3. These domains correspond to the network in one building: VTP1 in Building 1, VTP2 in Building 2, VTP3 in Building 3. These domains terminate at the layer 3 switch that ties the networks together, because a VTP domain cannot span a router or layer 3 link.
In this example, you have two groups of users: Marketing and Engineering. These groups are defined either in an NT domain controller or an NDS directory (in which case the groups are organizational units), and all users belong to one group or the other. You want to limit Marketing to Building 1, and limit Engineering to Buildings 2 and 3.
Step 2 Disable the DEADEND VLAN on all the trunking ports on the wiring closet switches. This prevents users on the DEADEND VLAN from connecting to network resources outside the specific wiring closet switch to which they are attached.
Step 3 In URT, make these VLAN assignments (you must first add the NT or NDS domain to URT):
| Group or Organizational Unit | VTP1 | VTP2 | VTP3 |
|---|---|---|---|
Make the DEFAULT VLAN the URT logon VLAN for each VTP domain.
Now, if a Marketing user connects to the network in VTP2 (in Building 2) with Laptop A, this is what happens:
1. The user logs into the NT domain or NDS directory. The user is initially given an IP address from the default pool and assigned to the DEFAULT VLAN.
2. URT switches the user into the DEADEND VLAN.
3. Because the DEADEND VLAN is not available over the trunking ports, the DHCP server cannot assign an IP address to the user. Without an IP address, the user cannot use the network. You have effectively prevented the user from gaining access to the network.
If the Marketing user connects to the network in Building 1 using Laptop A, the user successfully connects to the network and is assigned to the MKTG VLAN.
URT requires that your network already be set up to use TCP/IP with DHCP, Microsoft Networking (including established NT domains) or NetWare, Catalyst switches, and VLANs. Before you install URT, ensure that your network is configured appropriately.
If you have not set up Microsoft Networking or Novell NetWare, see the product documentation for instructions. The following sections discuss other requirements your network should meet before installing URT:
You must install the CWSI Campus application from the CiscoWorks2000 suite on Windows NT before you install URT. The URT management interface must be installed on the same machine as CWSI Campus. URT uses the ANI server provided with CWSI Campus as the database for user-name-to-VLAN associations.
Because URT requires write access to the switches on the network in order to set the VMPS configuration on the switches, you must set up the correct SNMP write community strings for the switches in CWSI Campus (in the ANI server). See the CWSI Campus documentation for information on setting up SNMP for CWSI Campus.
See "What Are the Hardware and Software Prerequisites for Installing URT?" for information on the which version of CWSI Campus is required.
URT only works with VLANs. You should already have a network configured for VLANs before installing URT. This publication does not describe the details of setting up VLANs or for planning an effective VLAN or VTP domain design.
If you do not have VLANs defined on your network, you must first configure your switches for VLANs. Some Catalyst switches can share VLAN definitions through InterSwitch Links (ISL) or trunking.
Use the CWSI Campus VlanDirector application to create the VLANs. You must also have established VTP domains before creating the VLANs. You can create VTP domains either by using commands on the switch or by using the CiscoView application.
For details about creating VLANs and VTP domains, see these publications:
When setting up switch ports for VLAN membership, you can set the ports as dynamic or static, depending on your other requirements.
If the switch port is static, URT does not dynamically assign the user to a VLAN; instead, the user is assigned to the VLAN defined for the port. URT does track user information for static ports and updates the CWSI Campus UserTracking table.
Dynamic ports are used for dynamically assigning VLANs based on user name (for names mapped in URT), or by MAC address (for addresses mapped using the CWSI Campus UserTracking application). You must define ports as dynamic if you want URT to apply your user name to VLAN mapping, placing the user in the desired VLAN.
If you are not already using MAC-based dynamic VLANs, change port states on the switches during URT configuration. See "Change Switch Port State to Dynamic" in Chapter 2 for more information.
Use UserTracking, CiscoView, or switch commands to change the state of switch ports from static to dynamic.
Note If you are using MAC-based dynamic VLANs, and a user does not get a VLAN association from URT (either based on user name or MAC-address), the user is placed in the logon VLAN as defined in URT. If there is no logon VLAN, and the port is in secure mode, the port is shut down and access to the network is denied.
URT can only dynamically assign a VLAN to users whose machines are directly connected to a dynamic port on a supported switch. There must be no other network hardware between the user and the switch. For example, if the user has a hub on their desk, with several machines connected to the hub, URT does not handle requests coming from those hub-connected machines even if the hub is connected to a supported switch port.
To ensure that URT handles each user, make sure that each work area has sufficient connections so that hubs are not required. This might be as simple as replacing hubs with switches, or could involve running more lines to the user's desk.
If you do not already use DHCP to dynamically assign IP addresses to user workstations, install and configure DHCP before installing URT. URT only affects machines that use DHCP to acquire an IP address. See the documentation supplied with your DHCP server for information on setting up the server.
Configure your DHCP server to support all subnets defined on your network. Make sure that you have adequate IP addresses in the subnet used by the VLAN you plan to define as the URT logon VLAN for each VTP domain for all DHCP-supported machines in your network. If you do not have an adequate number of IP addresses in the logon VLAN's subnet, users may experience delays or failures during NT or NDS domain logon and logoff, because they will not be able to obtain the required IP address.
You must also allow this traffic access to all subnets (these settings are defined on the routers in your network):
If you are using Microsoft's TCP/IP software, to change user machines to use DHCP to obtain an IP address:
Step 2 Open the TCP/IP protocol properties page.
Step 3 Select Obtain an IP address from a DHCP Server, and click OK.
Step 4 Click OK on the Network Control Panel, and reboot if required.
If you are using another vendor's TCP/IP software, follow the instructions provided with your software to configure the machine to use DHCP.
The CWSI Campus UserTracking application not only tracks the status of clients on the network, it also allows you to create dynamic VLAN mappings by associating a MAC address with a VLAN. (The MAC address belongs to the network interface card on the client machines, and is used by networking protocols to deliver data packets to the correct clients.)
This MAC-based VLAN mapping does not account for users connecting to the network on multiple machines. Because you are associating machines to VLANs instead of users, a user could subvert any VLAN-based security you have defined. With URT, VLAN assignments are based on the user name, so that users end up in the appropriate VLAN even when they log into the network from different machines.
Because both URT and UserTracking allow you to make dynamic VLAN assignments, there are several restrictions and other considerations that you must keep in mind as you integrate URT into your network:
If you do not fully deploy URT in your network, that is, you continue to use switched-based VMPS servers for some network segments, you can continue to use UserTracking to save mappings to TFTP servers and subsequently, to the switch-based VMPS servers. If you do not fully deploy URT on your network, Cisco recommends that you keep a clean partition between switches that use URT servers as VMPS servers, and switches that use switch-based VMPS servers.
Posted: Wed May 14 10:42:14 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.