This is the final post in this series on re-imaging in 802.1x networks. It ties all the other posts together and contains the complete altiris re-imaging script in one listing. Although I haven’t covered it here, a post-image script is also required to set the switch port back to using dot1x after the image is dropped from the computer and joined to the domain to get it’s authentication credentials.
The observant reader would have noticed that additional information is required before we can perform the previous five steps in a script. The mac address of the computer, the re-imaging vlan and the management IP address of the switch are also required. Variables are provided by altiris which help obtain the additional information. The mac address is provided straight up as %NIC1MACADDR%. The management IP address of the switch and re-imaging vlan aren’t directly available. Altiris has no knowledge of these items. However networks built to a standard allow calculation of the remaining two parameters. The computers ip address provided in the %NIC1IPADDR% variable is used for this calculation. The example network was built to the design standard below.
- Floor vlans will be allocated in the range 100 – 299 with 10 vlans being reserved per floor.
- Floor ip addresses will be allocated in the range 192.168.32.0 – 192.168.191.255 with 8 class C networks reserved per floor.
- The first three networks and vlans per floor will be allocated to authenticated computers, guest/auth-fail computers and re-imaging vlan respectively.
- The fourth network and vlan will be reserved for future IP telephony projects.
- The fifth network will be allocated to switch management IP addresses with all others reserved for future use.
- Switch management vlans will be allocated in the range 300 – 350.
- Edge switch management address will start at 192.168.x.11
The ip address of the first network on a floor is calculated by masking the last three bits in the third octet of the computers ip address (%NIC1IPADDR%). The fifth network on each floor is reserved for switch management. Adding 4 to the third octet gives the switch management network. Assuming the last octet of the switch management IP addresses are also kept consistent, the address can be completed by simply changing the fourth octet to the standard value. Refer to the getSwitchMgmtAddr() function in listing 1.
The vlan of the first network on a floor is calculated using a similar technique. The vlan in which the computers mac address was found is divided, using integer division, by the number of vlans per floor. The result is then multiplied by the number of vlans per floor. The third network and vlan are reserved for re-imaging. Adding 2 to the first vlan on the floor will give the re-imaging vlan.
As an example, assume that the computer to be re-imaged has an ip address of 192.168.42.157 and its mac address was found in vlan 112 (probably due to a failed re-image job). Masking the last three bits of the third octet gives the first network on the floor.
AND 11111000 (248)
= 00101000 (40)
The management network is found by adding 4 to the third octet and gives 192.168.44.0/24, and the switch management ip address will be 192.168.44.11. The first vlan on a floor is calculated as (112\10) * 10 = 110. The re-imaging vlan is found by adding 2 to give 112. Note that the use of integer division- denoted by \ rather than / – means that remainders are ignored.
Not every network is the way we would design it with hindsight. Networks often grow in odd ways. You may have inherited a flat network that won’t lend itself to this kind of calculation. In this case you can simply build an array of switch management ip addresses and loop through steps one and two for each switch until the bridgeport on which the mac address appears is found on a non-trunking port. Then continue with steps three to five.
The script in listing 1 should be easy to customise for your environment. Pay particular attention to the constants defined at the beginning, the regular expression patterns used to match the output from the snmp commands, and the snmp commands. If you aren’t familiar with regular expressions take a look at “Mastering Regular expressions” by Jeffrey Friedl.
With snmp and a modicum of scripting know-how you can now have dot1x security without fearing an uprising of angry helpdesk staff.
How To Add, Modify, and Remove VLANs on a Catalyst Using SNMP. (October 26, 2005). Retrieved 11 November, 2006, from http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c6035.shtml Using SNMP to Find a Port Number from a MAC Address on a Catalyst Switch. (October 26, 2005). Retrieved 11 November, 2006, from http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml How To Get Dynamic CAM Entries (CAM Table) for Catalyst Switches Using SNMP. (October 26, 2005). Retrieved 11 November, 2006, from http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a9b.shtml How to Get VLAN Information From a Catalyst Using SNMP. (October 26, 2005). Retrieved 11 November, 2006, from http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a008015773e.shtml SNMP Community String Indexing. (October 26, 2005). Retrieved 11 November, 2006, from http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801576ff.shtml IEEE Standard for Local and metropolitan area networks—Port-Based Network Access Control. (2004). Retrieved 11 November, 2006, from http://standards.ieee.org/getieee802/download/802.1X-2004.pdf Friedl, J. (2002). Mastering Regular Expressions (Second ed.): O'Reilly Media Inc. (more...)