[ednog] Techniques for overlays and walled gardens

Frank Sweetser fs at WPI.EDU
Wed Apr 6 09:05:49 EDT 2005

On Tue, Apr 05, 2005 at 10:31:58PM -0500, John Kristoff wrote:
> On Tue, 5 Apr 2005 18:55:55 -0400
> Frank Sweetser <fs at WPI.EDU> wrote:
> > Here, for the important stuff (security cameras, environmental controls,
> > etc) we put them in an application specific VLAN with an RFC1918 addressing
> > scheme.
> Is your network really flat so these layer 2 VLANs span the entire
> campus?  Or do you simply create separate and isolated layer 2 VLANs
> at each routing domain and not connect them together?

All of our core routers are Nortel 8600 switch routers.  For the private VLANs,
we define the VLAN and its port memberships, but don't define an IP interface
on the router.  So the public routed VLANs get handled as a router, while for
the private VLANs, it just acts like a dumb switch, meaning that for those
private VLANs it really is flat accross the whole campus.

> I don't think we've really thought through all the issues yet, but
> to give you an idea of what this might look like under an ideal
> scenario...  All users have a Northwestern 'netid' that is used
> to authenticate their host onto the dial, wireless or wired net.

Well, that's further than we've gotten.

> Port-level authentication is the holy grail for this to happen,
> but using our Netpass system we could theoretically do this based
> on a set group of VLANs.  If you register as a student, you get
> put into the student VLAN, as a staff member, the staff VLAN and
> faculty go into the faculty VLAN.  Using the magic of MPLS, each
> group's VLAN sees a different picture of the routing table and
> gets funneled through the net per that group's class.  Faculty
> might be unencumbered, students might all first have to go behind
> a firewall and rate limiter that shields those hosts from the
> rest of us, etc.

So the order of operations would roughly be

 - person (say, a student) comes up and plugs a machine into a port

 - machine gets IP on the ports default VLAN

 - student authenticates to netpass

 - netpass flips VLAN of port - does this require machine to get a new IP?

 - VLAN is used to trigger MPLS, which applies user class specific policies


Frank Sweetser fs at wpi.edu
WPI Network Engineer
GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

More information about the ednog mailing list