p.s., Olivier, discussion this morning lead to the possibility of too many node categories/customvlans breaking PF performance and/or code, so we are reassessing how many customvlans to use in combination with default (normal) switch vlans.
On May 8, 2012, at 5:42 PM, Steve Wittstruck wrote: > Hello Oliver! > > Yes, that will work, i.e. hardcoding the VLAN #'s in custom.pm. We have > roughly 40 - 50 VLANs, maybe half are campus-wide. We probably won't even > use the 5 defined customVlan's, no real reason to with so many other VLANs > that are needed; the number of new lines of custom.pm code would be the same > either way (confgured customVlanX or hardcoded vlan #'s.) > > It sounds like your long term plans for flexible custom VLAN assignments will > let me do what I want. In the meantime, I'll go forward with hardcoding vlan > #'s in custom.pm, I've got deadlines for PF production pilots coming up. > > Lastly, not sure this is proper etiquette, i.e. going off subject, it is > related though. I'm curious about 802.1x for doing VLAN manipulation. In > the podcast you did last year, did I detect your preference for 802.1x? In > my case, particularly for VLAN manipulation? At one time I would have > thought port-security had better switch vendor support for allowing PF VLAN > manipulation, vs. vendor support of 802.1x supplicant clients, especially in > a widely diverse and open network philosophy as ours. I'm not sure that's > true anymore. I have plans to do 802.1x testing but for the immediate future > I'm leaning on port-security. > > Thank you very much. > Steve > > ________________________________________ > From: Olivier Bilodeau [[email protected]] > Sent: Tuesday, May 08, 2012 7:25 AM > To: [email protected] > Cc: Steve Wittstruck > Subject: Re: [PacketFence-users] trouble expanding CustomVLANs beyond 5 > > Hi Steve, > > On 05/04/2012 07:36 PM, Steve Wittstruck wrote: >> Hi PF Community: >> >> I'm having trouble expanding the # of CustomVlans beyond 5. > > Yes, because there are only 5 customVlan attributes. It's not a dynamic > field, it's a static field. > >> Below are >> my relevant custom.pm and switches.conf lines, and the packetfence.log >> entries for the failed CustomVLAN6. If I grep around in other pf/conf >> files I see more hits on "CustomVLAN"'s 1 thru 5 in ui.conf* and >> violations.conf. Is expanding the number of CustomVLAN's beyond 5 more >> complicated than I hoped? > > Scattered changes in pf::SwitchFactory and pf::SNMP would be required. > >> The failed CustomVLAN6 lookup ends up putting >> the switch port into the MacDetection VLAN (I have it defined even >> though I'm using Port-Security, not Linkup/LinkDown.) I'm running >> version 3.2. >> >> # # return customVlan to nodes defined with a category >> if (defined($node_info->{'category'}) && >> lc($node_info->{'category'}) eq "admin1") { >> return $switch->getVlanByName('customVlan4'); >> } elsif (defined($node_info->{'category'}) && >> lc($node_info->{'category'}) eq "admin2") { >> return $switch->getVlanByName('customVlan5'); >> } elsif (defined($node_info->{'category'}) && >> lc($node_info->{'category'}) eq "admin3") { >> return $switch->getVlanByName('customVlan6'); >> } >> # > > If the VLAN you want to return is the same campus-wide (ie customVlan4 > is _always_ VLAN ID 100) then instead of using: > > return $switch->getVlanByName('customVlanX'); > > you can directly return the VLAN id: > > return 100; > > Does that free enough customVlanX for you so that you are fine with 5? > > We have plans to migrate the switch configuration to the database and > have a more flexible custom VLAN assignment configuration. Nothing short > term though, we're busy with a Web-based installer and Web Admin revamp > right now. > > -- > Olivier Bilodeau > [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
