Remember, registration and isolation VLANs can be defined per-switch in
the config. ;-) I'll leave someone else describe how to bridge those
VLANs back to PF...
-Arthur
-------------------------------------------------------------------------
Arthur Emerson III Email:
[email protected]<mailto:[email protected]>
Network Administrator InterNIC: AE81
Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave. Fax: (845) 562-6762
Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
From: Boris Epstein <[email protected]<mailto:[email protected]>>
Reply-To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Friday, January 9, 2015 at 4:54 PM
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [PacketFence-users] proper VLAN assignment
Alright... sounds good... that pretty much means most modern switches should
do, AFAIK.
But, let us say I have my PF server at site A, my switch at site B with VLAN's
10,11 and 12 being registration, isolation and production respectively. The PF
server has no connection to and no direct awareness of any one of these VLAN's.
How does it know how to manage them - i.e., how does it decide to tell the
switch what to do via SNMP or RADIUS?
Boris.
On Fri, Jan 9, 2015 at 4:49 PM, Tim DeNike
<[email protected]<mailto:[email protected]>> wrote:
No. Not if your switches can support dynamic vlan assignment via RADIUS or
SNMP.
On Fri, Jan 9, 2015 at 4:37 PM, Boris Epstein <[email protected]> wrote:
Jake,
You are absolutely making sense. I will need to go over what you wrote a little
more as you clearly are much better versed in all of this than I am but overall
this sounds perfectly reasonable and what we need is likely simpler. And we are
perfectly happy to re-authorize users who move from site to site so that should
not be a problem.
Just one question: is the PF server expected to have all the VLAN's from all
the sites? Or can that part be relegated to relevant switches?
Thanks for your input.
Boris.
On Fri, Jan 9, 2015 at 2:45 PM, Sallee, Jake <[email protected]> wrote:
> OK, let us say I have a distributed network with multiple sites, and I can
> not have VLAN's spanning across multiple sites...
PF makes the final vlan assignment based on the role and the switch you the
node is connected to.
So to make sure the correct vlans get assigned set them up in the switch
properties in PF.
For example:
Site A has 10 switches with Production (aka Normal) and Guest vlans.
Site B has 5 switches with Marketing, R&D, Guest, and HVAC vlans
In PF you will see all 15 switches, every switch will have a setting for every
role PF knows about (Production, Guest, Marketing, R&D, HVAC).
On the switches for site A you would set the corect vlan ids for the Production
and Guest vlans and you can leave the rest blank.
For site B you would set the vlan ID for the vlans available at that site
(Marketing, R&D, Guest, and HVAC).
The vlan id for a given role need not be the same across switches, meaning that
the Guest vlan id for site A does not need to be the same as the Guest vlan id
at site B, etc..
Then you would setup rules and roles that would steer users into the correct
role based on how they authenticate, or what ever other criterion you want.
When a user hits site A they will have their access evaluated based on the
rules you created and be assigned the corresponding role and thus the correct
vlan.
Your only trouble would be handling users moving to a site that does not know
about their role. For example is a user from site B that has been assigned the
Marketing role went to site A where PF does not have any vlan setup for that
role.
There are ways to deal with this but you get the idea.
In general PF is site unaware. PF assumes all of your switches are on the same
site. Well, perhaps assumes is not the correct word, more like PF doesn't care
where your switches are.
NAC can be a confusing subject, this is exacerbated by everyone not always
using the same jargon. I hope I'm actually answering your questions and not
sounding like a fool.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: Boris Epstein [[email protected]]
Sent: Friday, January 09, 2015 1:12 PM
To: [email protected]
Subject: Re: [PacketFence-users] proper VLAN assignment
Thanks for some great input!
OK, let us say I have a distributed network with multiple sites, and I can not
have VLAN's spanning across multiple sites. So how do I define isolation and
registration networks for each site even though my PF server is only available
at one site (the hub)? Or do I need to even?
Boris.
On Fri, Jan 9, 2015 at 2:03 PM, Arthur Emerson
<[email protected]<mailto:[email protected]>> wrote:
Configuration | Switches | [pick one] | Roles
PF determines the role that each user has, and then passes that role to
the switch(es) to let them make the decision on what VLAN they need to
be on based on their role. What VLAN a device should be placed on may
vary by switch, with an example being a multi-building network with
different VLANs in each. You tell the switch what role a device is, and
it decides what VLAN to put it on.
In PF 3.x, there's a setting in the switch config called "Normal VLAN."
In PF4, it is called "default." If you do not wish to use roles and want
everyone on the same production network, this is where you set that VLAN
on every switch...
-Arthur
-------------------------------------------------------------------------
Arthur Emerson III Email:
[email protected]<mailto:[email protected]>
Network Administrator InterNIC: AE81
Mount Saint Mary College MaBell: (845) 561-0800 Ext.
3109<tel:%28845%29%20561-0800%20Ext.%203109>
330 Powell Ave. Fax: (845)
562-6762<tel:%28845%29%20562-6762>
Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
From: Boris Epstein <[email protected]<mailto:[email protected]>>
Reply-To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Friday, January 9, 2015 at 1:35 PM
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [PacketFence-users] proper VLAN assignment
Tim,
True enough - but given that there may be more than one - doesn't the PF server
need to be aware of them and know how to tell the switch involved which VLAN to
put the node in?
Boris.
On Fri, Jan 9, 2015 at 1:27 PM, Tim DeNike
<[email protected]<mailto:[email protected]>> wrote:
Because a production vlan, in most instances, won't ever touch the packet fence
server. So it doesn't NEED to have one configured.
On Fri, Jan 9, 2015 at 1:16 PM, Boris Epstein <[email protected]> wrote:
Chris,
100%. I should have said "one or more production networks".
Boris.
On Fri, Jan 9, 2015 at 12:27 PM, Chris Chance <[email protected]> wrote:
Because their can be multiple production clans such as an infrastructure vlan a
customer vlan a staff vlan or whatever your specific network requires.
Authorized clients don't necessarily get sent to the same areas just because
they are allowed access.
On Jan 9, 2015 12:51 PM, "Boris Epstein" <[email protected]> wrote:
Hello all,
This is just to compare notes and make sure the way I do things is in line with
the conventions. So here is how I understand things.
"Registration VLAN" is where newly plugged in devices are assigned, until they
are deemed secure and allowed to join the production network.
"Isolation VLAN" is where suspect devices (those believed to be virus-infected,
for instance) are relegated to.
"Management VLAN" is a network used for management purposes (to communicate to
switches, etc.)
Here is what I don't quite understand.
1) Why is a "Production VLAN" not mandated?
2) How does one designate it on the switch level as a VLAN to put
production-ready devices in (i.e., OK, MAC address so-and-so on port 10 is
good, switch it to the "Production VLAN" and let is access the internet)?
Thanks in advance for your help.
Cheers,
Boris.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
