[ednog] Techniques for overlays and walled gardens

John Kristoff jtk at northwestern.edu
Wed Apr 6 10:56:39 EDT 2005 

On Wed, 6 Apr 2005 09:05:49 -0400
Frank Sweetser <fs at WPI.EDU> wrote:

> All of our core routers are Nortel 8600 switch routers.  For the private VLANs,
> we define the VLAN and its port memberships, but don't define an IP interface
> on the router.  So the public routed VLANs get handled as a router, while for
> the private VLANs, it just acts like a dumb switch, meaning that for those
> private VLANs it really is flat accross the whole campus.

Are you not doing 802.1q or equivalent trunking, but rather dedicating
a port between 8600s for each private VLAN?  That would seem like a
relatively simple and easy approach if you have the luxury of copper
and fiber in between 8600s, unfortunately we don't.

> > I don't think we've really thought through all the issues yet, but
> > to give you an idea of what this might look like under an ideal
> > scenario...  All users have a Northwestern 'netid' that is used
> > to authenticate their host onto the dial, wireless or wired net.
> 
> Well, that's further than we've gotten.

We're only part way there on the wired side.

> So the order of operations would roughly be
> 
>  - person (say, a student) comes up and plugs a machine into a port
>  - machine gets IP on the ports default VLAN
>  - student authenticates to netpass
>  - netpass flips VLAN of port - does this require machine to get a new IP?

No, you use the same address on either side of the walled garden.
There are other people on this list from NU (and we've asked Jeff
Murphy from buffalo.edu, one of the primary developers to join the
list also) that could explain it better than I, but basically when
put into quarantine, the Netpass box looks like the default router
to everyone in quarantine.

>  - VLAN is used to trigger MPLS, which applies user class specific policies
> Correct?

Once Netpass switches a port back into it's public non-quarantine
VLAN, all frames ingress to that VLAN could be put into a MPLS FEC.

I think I strayed a little from original inquiry on just how people
are doing separation and walled gardens so I'll take this offline if
you want to discuss it further.  Suffice to say, I'm not convinced
'ideal' is practical.

John

More information about the ednog mailing list