Isolating network between AD OUs - Subnetting? or VLAN?

hinewwiner
Here to help

Isolating network between AD OUs - Subnetting? or VLAN?

Hello,

We are setting up a HQ network with MX100 and MS225 switches. We also have multiple remote sites with MX64 and MS225 switches that will be connected to HQ via site-to-site VPN connection.

 

There will be an Active Directory server running on HQ network and all our employee's computer will be joined to domain.  We would like to establish secure network by isolating traffic between each departments (OU in AD). I saw that I could tag a specific port to a specific VLAN (is MS switches) but would like to avoid this and have a way to dynamically assign either VLAN or subletting based on device's OU.

 

I also like to have a way so that devices in same OU (like Sales department in HQ and Sales department in remote location) can share resources (file share, etc.) but I am not sure if this is feasible or not.

 

What would be the best way to accomplish this?  Should VLAN tagging with RADIUS be used?  or should I run a DHCP server in HQ to assign subnet based on computer OU?

 

Thank you

 

7 REPLIES 7
PhilipDAth
Kind of a big deal
Kind of a big deal

I would not recommend doing this.

 

If you still wish to proceed then I would use 802.1x on the switches.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)

You can use RADIUS (NPS on Windows) to either assign a group policy dynamically, or assign a VLAN.  If you assign a VLAN then you just need to create a group policy and attach it to each VLAN on the MX units and use that to specify what each VLAN can access.  You would use a VLAN for each OU.

 

This articles covers how to configure NPS to give out a VLAN assignment.

https://technet.microsoft.com/en-us/library/cc772124(v=ws.10).aspx

Hi PhilipsDAth,

 

Thanks for the quick response. You are always helpful!

 

One quick question.  Could you explain why you don't recommend this?   How would you recommend to properly isolate the traffic?  We have some departments of which require isolated access. 

 

Thank you!

Well, it would probably take me 60 to 120 minutes to setup if I limit myself to two coffee breaks.  If you are not familiar with all the steps it could take a day or two.

 

And if you mess up the access policy you can cut yourself off (as in, no matter where you plug into the network it will refuse you access).

If your RADIUS servers become unavailable you can be cut off (hint - dual NPS/RADIUS servers is a really good idea).

 

Perhaps I am being overly negative.  What you could do is setup half a dozen ports on a switch with the access policy and get it working perfectly there before a wider roll out.

 

Note you can do 802.1x on MX's as well.  In your case I would do it on the switches.

Hi Phillip,

 

How does this work out when I have the L3 interfaces on my L3 Switch instead of the SVI's?

 

I do not have the option to assign the identity-based policy in the Active Directory Page in the above mentioned case nor do I see the group policy option when its a static route on the MX.

A layer 3 interface is an SVI, so ...

Sorry I misspoke there.

 

How does this work out when I have the L3 interfaces on my L3 Switch instead of the MX as a Local VLAN?

 

I do not see an option for the desired VLAN in Per-VLAN option on Active Directory Authentication page, if my Local VLAN isn't on my MX.

 

Does that make sense?

The MS switches can do ipv4 ACLs also - just keep in mind it's not stateful. CIDR would work for isolating your OUs - just setup dhcp scopes per OU to match whatever your vlans for each OU are and you should be good to go. I've done that where I am now a for a few networks and it's working well. You have to know what traffic needs to get to where so you can configure the static routing but as long as the network isn't sprawling it's not too bad.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels