This is what I am trying to do.
We have a 50 locations all running layer 3 down to the access layer.
Currently everyone is on vlan x. When they trip our IPS we would like to
move them to vlan y. I was thinking packetfence could do that. If the mac
is in the database then when packetfence receives the linkup/mac snmp trap
it would put the switchport in vlan y. This way it doesn't matter if they
move from switch to switch.
On Sat, Jun 29, 2013 at 4:09 PM, Tim DeNike <[email protected]> wrote:
> Just use vlans on a single interface.
>
> Sent from my iPhone
>
> On Jun 29, 2013, at 4:08 PM, Dustin Schuemann <[email protected]>
> wrote:
>
> Do I have to forward the dhcp requests to packet fence or can I use the
> auto register feature?
> On Jun 29, 2013 3:01 PM, "Fabrice Durand" <[email protected]> wrote:
>
>> Hello Dustin,
>> it could be done with the github branch
>> https://github.com/inverse-inc/packetfence/tree/feature/iplog_accounting
>>
>> In fact you will use accounting information to fill out your database
>> (probably have to add a function to add the device if it doesn't exist in
>> the database) , declare your switch in the conf to as a production switch
>> with all the parameter to interact with it and don't forget to forward the
>> dhcp traffic to packetfence.
>>
>> With that way you will have a database with all your devices and where
>> they are and will have the possibility to put them in the isolation vlan if
>> you trigger manually a violation or automatically (snort, suricata,
>> accounting violation ...)
>>
>> And of course it could be sponsored development.
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2013-06-29 14:05, Dustin Schuemann a écrit :
>>
>> This can't be done just with the SNMP notifications. What I want to do is
>> have a database of all the devices. If a device needs to be in the
>> isolation vlan I would put it in there and then when the device is plugged
>> in packet fence would set the vlan for that switch interface.
>> On Jun 29, 2013 1:56 PM, "Fabrice Durand" <[email protected]> wrote:
>>
>>> Hello,
>>> you mean without registration process and with an ids like snort ?
>>>
>>> If it that case, packetfence must have to know where the device is
>>> (switch interface) and forward the dhcp traffic to packetfence to be able
>>> for it to resolv mac by ip.
>>> If you do that , it's possible.
>>>
>>>
>>> Regards
>>> Fabrice
>>> Le 2013-06-29 13:26, Dustin Schuemann a écrit :
>>>
>>> Can packetfence use one interface? I only want to do vlan isolation with
>>> MAC traps. Is this possible?
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>> http://p.sf.net/sfu/windows-dev2dev
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>> http://p.sf.net/sfu/windows-dev2dev
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
