|
|
The User Registration Tool (URT) application can simplify your network management, but to use the application, you must already have your network set up to use VLANs along with Windows 2000, Windows NT, or Novell Netware. This chapter explains the planning considerations for deploying user registration in your network.
You need to consider two significant factors in designing your URT configuration:
Network traffic is not a major consideration. URT traffic will be heavy during normal user logon times, but otherwise there will be very little URT traffic.
1. Deploy your DHCP servers and domain servers as if URT were not involved. URT is complementary to existing user logon infrastructure.
2. Do not allow logon traffic to cross WAN links. To limit the traffic to the local network, make sure that all switches on the local network point to local URT VPSs.
3. Balance the load among the URT VPSs. To balance the load, make sure that only a portion of the switches in your network use a given URT VPS as the primary server. For example, if you have three servers, divide your switches into three groups, and assign each group a different server to use as the primary server. Use the other servers as secondary servers.
4. Install at least two (preferably three) URT VPSs per local network. Having more than one server ensures that the failure of one does not affect network logons. The more servers you have, the greater the fault tolerance.
5. If you have an exceptionally large number of users, consider adding more than three servers. Because you can configure a switch to use only three servers, not all switches will point to the same set of servers.
6. Do not configure the switches to use a mixture of URT VPSs and switch-resident VMPS servers. The switch-resident VMPS servers should be used only in networks without URT VPSs and when host-based VLANs are sufficient.
7. Do not use the management VLAN as the URT logon VLAN. The management VLAN includes the IP addresses of the switches, carries SNMP and other network management traffic, and is usually VLAN 1.
The VLAN configuration you would put in place to partition network traffic is the same configuration you should use when you install URT. URT adds user registration to the basic traffic partitioning provided by VLANs.
Figure 2-1 shows the recommended configuration for URT when used across a WAN. Begin by installing three URT VPSs in each local network that has what you consider at least a moderately large user base. Divide your switches into three groups, and make each URT VPS the primary server for one group of switches. Use the other servers as the secondary servers for each group of switches.
In smaller offices, install two URT VPSs (for fault tolerance), and if there is more than one switch, divide the switches into two groups.
For large offices, consider adding URT VPSs if you see a significant difference between logon time with URT installed compared to logon time without URT installed. With load balancing among the servers, URT should not have a significant impact on user logon time.
If a user needs to log on from multiple locations separated by a WAN, you will need to configure that user to access the domain server in the remote location. Typically, you should map a user domain to a VTP domain.
Through the use of VTP domains, VLANs, and URT, you can segment your network so that your users can connect to the network only in buildings (or other segments) in which they are authorized.
Consider a typical campus network as shown in Figure 2-2.
In this example, the switch management domains, or VTP domains, are VTP1, VTP2, and VTP3. Each domain corresponds to a network in one building: VTP1 to Building 1, VTP2 to Building 2, and VTP3 to Building 3. These domains terminate at the Layer 3 switch that ties the networks together, because a VTP domain cannot span a router or Layer 3 link.
In this example, you have two groups of users: Marketing and Engineering. These groups are defined in an NT domain controller, a Windows 2000 domain server, or a Novell Directory Services (NDS) directory (in which case the groups are organizational units). Each user belongs to one of these groups.
To limit Marketing to Building 1, and limit Engineering to Buildings 2 and 3, you must do the following:
1. In each VTP domain, use CiscoWorks2000 VlanDirector or the switch command-line interface (CLI) to create these VLANs:
2. Disable the LOGON VLAN on all trunking ports on the wiring closet switches. This prevents users on the LOGON VLAN from connecting to network resources outside the specific wiring closet switch to which they are attached.
3. In URT, make the following VLAN assignments (you must first add the NT or NDS domain to URT).
| Group or Organizational Unit | VTP1 | VTP2 | VTP3 |
|---|---|---|---|
Make the LOGON VLAN the URT logon VLAN for each VTP domain.
With these VLAN assignments, when a Marketing user tries to connect to the network in VTP2 (in Building 2) with Laptop A, the user logs on to the NT domain or NDS domain server. The user is initially assigned to the LOGON VLAN and given an IP address from the default pool in that VLAN. Because the Marketing user will not be able to authenticate to the domain server in Building 2, that user will never be granted access to the VTP2 network and will remain in the LOGON VLAN.
If the Marketing user tries to connect to the network in Building 1, using Laptop A, the user successfully connects to the network and is assigned to the MKTG VLAN.
Posted: Wed May 21 07:06:44 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
