In static VLAN configuration VLANs are manually created and assigned to switch interfaces. VLAN assignment to interfaces cannot be deleted or altered without any manual intervention, that’s why this method is most secure and very simple to configure.
IP configuration on hosts or user PCs must match with VLAN membership on switches.
As in figure 3, interface g0/1 and g0/2 are manually configured in VLAN 2 and interface g0/3 and g0/4 are in VLAN 1. By default, all interfaces of switches are in VLAN 1.
The drawback of this type of configuration, users can’t move from one location to another.
In our example: if Host 1 moves from his desk to Host 4, and connect his device on that port (g0/4) which is statically configured (or by default) in VLAN 1 , then Host 1 will not be able to communicate with any other users.
To resolve this issue you need to configure Dynamic VLANs.
Dynamic VLAN assignment
In this type, user profile is pre-configured on special kind of server in the network. That server will serve VLAN membership to users when they try to connect in the network regardless of their physical location.
Cisco ACS or RADIUS or VMPS server will require for this type of VLAN. When user connects his device in network;
- Switch will send a request to RADIUS/ACS server to authenticate the connected user. There are multiple methods of authentication, ex. Based on MAC address / username and password combination of the user.
- Based on pre-configured RADIUS server, user profile will be checked ( MAC address / IP address / username & password combination / VLAN assignment ).
- After authenticating the user credentials, server sends a reply with respective VLAN membership to switch.
- Based on the received information from server, switch will assign VLAN membership to that user.
Authentication/identification of user is performed by central ACS/RADIUS server therefore physical location of the users doesn’t matter and users can move from one location to another.