> > I have been reading about floating device support in PF and the > documentation seems to suggest that its main use is to enable you to > connect a switch or AP (to which multiple other devices may be > connected) to an access port on any existing PF managed switch, and > can be moved at will to an access port on other PF managed switches > without the need for isolation/registration on each move, either for > the device or any of the devices connected to that device. (I'm a > newbie so I'm open to correction here).
The goal is to allow infrastructure devices (APs, switches) to be movable anywhere without the limitation of handling per-port configuration exceptions. The implementation is to reconfigure the port where the floating device is plugging in so that it no longer has a limitation of one device per port (imposed by port-security) and to allow reconfiguration of the allowed VLANs to that port. > > I was wondering if it matters whether a floating device is an endpoint > device (eg: PC, printer, phone) rather than another connectivity > device (eg: switch, hub, wireless AP). I see no case in configuring printers, PCs or phones to be floating devices and I see security and scalability problems doing. > > The reason I ask is that it would be useful if I could configure > certain (but not all) devices to never undergo isolation/registration > no matter where they are connected on our network (an all Cisco > network) even if they are moved from time to time around the network. > We are a college, and basically, the devices connecting to our network > are one of two kinds.....college owned and end user owned. Port movement will never have the consequence of sending a user back to isolation/registration. Once registered a device will stay so unless you manually de-register it. > > Ideally what I would like to be able to do is: > > * Have all college owned devices (PCs, printers etc) configured as > floating devices so they can be registered once, and then moved > whenever we desire. Ideally the access port in most cases would be > configured only with a primary access VLAN and no tagged VLANs. > This is how packetfence works. No need to use floating devices for that. To completely avoid registration even the first time, pre-register the MACs by putting switches in registration mode (search archives for doing so) or import the list of MACs using the node import feature. > * Have all non college owned devices (end user laptops) connecting to > either the wired or wireless network undergo the usual > isolation/registration process at the network edge. > > This has to allow for the possibility that an end user might > disconnect one of our (floating) devices, and plug in their own. > > Is this doable/feasible with PacketFence? > Allow me to repeat myself: This is how packetfence works. No need to use floating devices for that. ;) > And lastly, for floating devices, is it still possible to use the > custom VLAN assignment hooks via the perl code to assign a VLAN based > on our local criteria? No but you don't want floating devices ;) Cheers! -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
