Hello all,
Thanks again for all the input. Here is the basic diagram of the setup.
Picture the following setup.
You have the main network - let us call it "Headquarters" (HQ). Then you
have multiple Satelite offices/networks. We will call them SAT1, SAT2, etc.
For the purposes of this discussion they are all equivalent to each other.
The only networking that exists between HQ and the SAT networks is untagged
IP hence it is not possible to have a VLAN that exists in more than one
location (i.e. no VLAN can span accross those WAN links).
You have a Cisco switch (or multiple switches) at each of these locations.
The one at HQ we will call sw-hq, the one at SAT1 we will call sw-sat1, etc.
We have a PF server - let us call if pf-serv
So here is our HQ network:
pf-serv <------> sw-hq <=========> node1, node2, node3
Here is the SAT1 network:
sw-sat1 <==============> node1, node2, etc.
In this notation <----> denotes IP connection, <=====> denotes direct Level
2 connection (Ethernet connection of a node to a switch).
All of the switches have VLAN's defined on you. I used a non-overlapping
numbering schema:
in HQ:
registration - VLAN2
isolation - VLAN3
voice - VLAN6
production - VLAN7
in SAT1:
registration - VLAN12
isolation - VLAN13
voice - VLAN16
production - VLAN17
in SAT2:
registration - VLAN22
isolation - VLAN23
voice - VLAN26
production - VLAN27
So, once again: the only way pf-serv can communicate to any of the switches
is pure IP (SNMP, radius, DHCP, whatever).
I hope this makes sense.
At this point, I can get my switches to switch VLAN's as directed by the
pf-serv. One thing I can not get to do is get the switches to report the
IP's to pf-serv.
And this is the stumbling block at this point.
Once again - thanks for the great input I already got and thanks in advance
for any and all feedback to come.
Cheers,
Boris.
On Fri, May 15, 2015 at 9:14 AM, Fabrice DURAND <[email protected]> wrote:
> Hello Boris,
>
> in fact if you find a way to have a couple mac/ip then we will be able to
> update iplog.
>
> In other setup we did it by:
> arp traffic
> udp reflector
> radius accounting
>
> and it should probably possible to do it with netflow traffic.
>
> Regards
> Fabrice
>
>
> Le 2015-05-15 09:08, Boris Epstein a écrit :
>
> Hello Fabrice,
>
> Thanks very much for your response. Yes, I will put together a diagram.
>
> I have looked into the RADIUS log and accounting packet content from a
> tcpdump capture and couldn't immediately see data on IP addresses. Where
> specifically should I be looking for?
>
> And this goes back to the question I raised earlier, the question being,
> is it necessary to use DHCP to update the PF server on the nodes' IP
> addresses? My thought was it shouldn't be as there are other ways to obtain
> that information; sounds like you are basically backing up this idea.
>
> Once again, that you very much for your help.
>
> Cheers,
>
> Boris.
>
>
> On Fri, May 15, 2015 at 8:29 AM, Fabrice DURAND <[email protected]>
> wrote:
>
>> Hi,
>>
>> i take the discussion on the fly but did you check if in the radius
>> accounting you have informations about the ip of the device ?
>> Sometimes it's the case and we will probably be able to update the iplog
>> in this way.
>>
>> Regards
>> Fabrice
>>
>> Le 2015-05-15 06:25, Tim DeNike a écrit :
>>
>> Yeah, just a basic diagram so we can see what other options there might
>> be.
>>
>> On Thu, May 14, 2015 at 12:20 PM, Boris Epstein <[email protected]>
>> wrote:
>>
>>> Hello everyone,
>>>
>>> Thank you very much for your thoughtful responses.
>>>
>>> Tim, is there anything specific you mean by "Chicken scratch network
>>> diagram" - or do you just mean any basic schematic outline? Let me work on
>>> that - that is a good idea to diagram it for sure.
>>>
>>> Cheers,
>>>
>>> Boris.
>>>
>>>
>>> On Thu, May 14, 2015 at 11:34 AM, Tim DeNike <[email protected]> wrote:
>>>
>>>> Your other option if you don't want to run a DHCP server outside of the
>>>> switches is to run the remote arp sensor on a box attached to the switch
>>>> (Ive never tried it), or setup a mirror port and mirror traffic to PF.
>>>>
>>>> I really don't know if the dhcp relay will work with the dhcp server
>>>> enabled. Id guess not.
>>>>
>>>> Chicken scratch network diagram would be helpful.
>>>>
>>>> But seriously.. Look into running a couple central DHCP servers..
>>>> much easier to maintain in the long run (IMHO).
>>>>
>>>> On Thu, May 14, 2015 at 11:21 AM, Derek Wuelfrath <
>>>> [email protected]> wrote:
>>>>
>>>>> Hello Boris,
>>>>>
>>>>> Most of the time, iphelpers are doing the job. Can you explain what
>>>>> is ‘not working’ ?
>>>>>
>>>>> In your current setup, the DHCP server is running on the switch at
>>>>> the edge or is it on a ‘core switch’ ? Let’s say you have 3 access
>>>>> switches, connected back to one core switch, but doing L3 (VLANs stays at
>>>>> the access switches level). DHCP server is on the access switches or on
>>>>> the
>>>>> core switch ?
>>>>>
>>>>> The things is, I’m unsure if, when the DHCP server running on the
>>>>> same switch where the VLAN is ending (L2 connectivity), iphelpers can do
>>>>> the job.
>>>>>
>>>>> If you can share a network design, that’d be great… I guess… ;)
>>>>>
>>>>> (Sorry if it was part of a previous discussion, I clicked the link
>>>>> which was leading me to another previous conversation, which was also
>>>>> leading me to another discussion… I’ve been lost in the Matrix while
>>>>> trying
>>>>> to figure out which conversation was the initial one!)
>>>>>
>>>>> Cheers!
>>>>> dw.
>>>>>
>>>>> --
>>>>> Derek Wuelfrath
>>>>> [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153
>>>>> (x110)
>>>>> Inverse inc. (www.inverse.ca) :: Leaders behind SOGo (www.sogo.nu)
>>>>> and PacketFence (www.packetfence.org)
>>>>>
>>>>> On May 14, 2015 at 06:12:01, Boris Epstein ([email protected])
>>>>> wrote:
>>>>>
>>>>> Hello all,
>>>>>
>>>>> I have raised the issue previously:
>>>>>
>>>>>
>>>>> http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg08765.html
>>>>>
>>>>> Basically, the issue is that I am trying to run a DHCP server on my
>>>>> Cisco IOS (Catalyst) switches while I run my PF server that only has IP
>>>>> connectivity to them (no VLAN connectivity as VLAN's are local to the
>>>>> switches).
>>>>>
>>>>> The setup requires that IP update/status info for all nodes be
>>>>> communicated back to the PF server. That is not happening for some reason
>>>>> -
>>>>> at least not via the Cisco's "ip helper-address" mechanism.
>>>>>
>>>>> So the question fundamentally is - how do I do that? What
>>>>> implementations do any of you have out there that accomplish it? Sounds
>>>>> like some people have DHCP servers separate from PF and switches. OK, that
>>>>> is an idea. What other implementations are out there?
>>>>>
>>>>> If you don't mind sharing that I will be very thankful.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Boris.
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> One dashboard for servers and applications across
>>>>> Physical-Virtual-Cloud
>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>> Performance metrics, stats and reports that give you Actionable
>>>>> Insights
>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>
>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> One dashboard for servers and applications across
>>>>> Physical-Virtual-Cloud
>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>> Performance metrics, stats and reports that give you Actionable
>>>>> Insights
>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM
>> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM
> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
