Overview
  • 06 Jun 2022
  • 2 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Overview

  • Dark
    Light
  • PDF

Article summary

The Intelligent VLAN solves the problems with Wake on Lan and silent MAB devices in networks with RADIUS-based VLAN assignment. The problem is simple, there is a different VLAN configured on the switch interface compared to a VLAN which is dynamically assigned to an Endpoint during 802.1X/MAB authentication. The statically configured VLAN on a switch port takes place when a device is turned off or deauthenticated.

This causes problems

Problem no. 1: Network Management Tools such as Microsoft Network Manager cannot wake up computers with dynamically assigned VLAN from ISE because they learn IP address from the user VLAN assigned from ISE but when the computer turns off, the switchport reverts to the VLAN which is statically configured on the switchport thus Management Tools are sending magic packets into an incorrect VLAN.
Solution: Intelligent VLANs will configure the user VLAN statically on a switport whereever is the computer detected. This will help you to configure and keep assigned VLAN on the switchport so WoL will work.

Problem no. 2: There are silent devices in every network which simply does not send any packet thus makes it difficult to authenticate with MAB in networks with dynamic VLAN assignment. If this device is logged out due to idle timeout, the VLAN configured on the switchport takes place.
Solution: The iVLAN Module will configure the correct VLAN to the switchport and keeps it when a device logs off from 802.1X. This helps the device to authenticate, because it always responds to some ARP message.

How Intelligent VLANs works

It simply tights a switchport VLAN configuration to a MAC address. This means that when a device registered in the dVLAN Module connects and authenticates in the network, iVLANs Module automatically connects to the switch and changes the access VLAN for the device (Active VLAN enabled).

If the device is turned off or deauthenticated due to idle timeout, XTENDISE starts Disconnect Timeout. XTENDISE will keep the Active VLAN enabled on the interface until the Disconnect Timeout times out. This will make sure that the device can be woke up with WoL or receives ARP messages so silent devices can authenticate again.

When the Disconnect Timeout times out, XTENDISE assumes that the device is not connected to the network anymore connects to the switch and reverts the original configuration (VLAN disabled) to make sure the interface meets the company standards.

The Disconnect Timeout is essential and basically says how long is the Active VLAN configuration kept on the interface after the device is turned off or deauthenticated. This value is configurable and the default value is 168 hours.