Authnet Update - Cisco Device Evaluation

At this time, we've found that the AuthNet network is not possible with the existing Cisco product line. While Cisco provides most of the necessary functionality, they do not provide everything.

The existing Cisco product line offers larger switches with IP routing capabilities (5000 line), which also act as a VLAN Membership Policy Server (VMPS). The VMPS provides a mapping from MAC address to VLAN to other Cisco devices. The VMPS appears to be well suited to our needs, allowing us to update its information via TFTP and/or SNMP.

However, Cisco's end-user switches (1900 and 2800 lines), as well as their larger VMPS capable switches, do not implement full MAC address based VLANs. They actually implement port-based VLANs, which use MAC addresses to determine which VLAN a port should be part of. When the first packet comes through a port, the switch looks at the packet's MAC address; asks the VMPS for a VLAN mapping; and moves the port to that VLAN. This check is done only for the first packet, and all following packets (until the link goes down) will be placed on the same VLAN.

This approach is not compatible with our AuthNet proposal. For a large bridged network, such as a wireless infrastructure, you have multiple MACs coming in over any single access point. In our dorms, users may have more than one machine connected to the port. Due to these reasons, the Cisco VLAN implementations will not allow us to implement an AuthNet infrastructure.