I currently have PacketFence deployed (2.2.0, using 802.1x) on one VLAN as a beta implementation, with currently just over 100 devices on it. When finally deployed, the numbers will reach several thousand nodes over dozens of VLANs. One of the primary reasons for implementing this solution is to be able to quickly, remotely, and perhaps automatically, provide isolation in the case of a malware epidemic. However in the current state of implementation the isolation VLAN, while providing isolation from the active production networks, does not isolate the devices from one another. The isolation network would quickly become a haven for reinfection (not to mention that worm traffic would likely saturate uplinks). Also, the registration network could experience the same issues, or the large common VLAN could be abused for file sharing or other activities.
I was wondering what users are doing to remedy this issue. My first thought was to use private VLANs, as they scale well across a large number of switches, but then I read this: * You can configure IEEE 802.1x port-based authentication on a private-VLAN port, but do not configure IEEE 802.1x with port security, voice VLAN, or per-user ACL on private-VLAN ports. Apparently you can use private VLANs with 802.1x with VLAN assignment, but not with voice and only if all possible VLANs are private VLANs. This does not work for my environment. So my current thinking is to use VLAN maps (VACLs) to filter traffic on the isolation and registration VLANs. I would allow traffic back and forth to the PacketFence server (for DHCP, DNS, HTTP, etc.), and to any other services that monitor or provide remediation resources for these networks. This would be a bit more painful to maintain than private VLANs, but I do not expect this configuration to change much. Is there a better way to accomplish the isolation of unregistered or problem hosts? Is there some reason my intended implementation will not work? Has anyone solved this problem in a different way? Thanks, Brent
<<inline: image003.png>>
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
