[ednog] Techniques for overlays and walled gardens

Frank Sweetser fs at WPI.EDU
Wed Apr 6 12:10:51 EDT 2005

On Wed, Apr 06, 2005 at 09:56:39AM -0500, John Kristoff wrote:
> Are you not doing 802.1q or equivalent trunking, but rather dedicating
> a port between 8600s for each private VLAN?  That would seem like a
> relatively simple and easy approach if you have the luxury of copper
> and fiber in between 8600s, unfortunately we don't.

No, we are using 1q trunking heavily.  It's just that some VLANs are only
defined a building or two plus the core, and are routed, while others are flat
accross our whole network, and have no (logical) routers defined anywhere on

> > So the order of operations would roughly be
> > 
> >  - person (say, a student) comes up and plugs a machine into a port
> >  - machine gets IP on the ports default VLAN
> >  - student authenticates to netpass
> >  - netpass flips VLAN of port - does this require machine to get a new IP?
> No, you use the same address on either side of the walled garden.
> There are other people on this list from NU (and we've asked Jeff
> Murphy from buffalo.edu, one of the primary developers to join the
> list also) that could explain it better than I, but basically when
> put into quarantine, the Netpass box looks like the default router
> to everyone in quarantine.

Ah, okay.  I found enough info on the Buffalo website to get an idea of what
it does.  We've actually got similar long range plans with CMU NetNotify,
which works in tandem with CMU Netreg.

> >  - VLAN is used to trigger MPLS, which applies user class specific policies
> > Correct?
> Once Netpass switches a port back into it's public non-quarantine
> VLAN, all frames ingress to that VLAN could be put into a MPLS FEC.

Okay, that sounds better.  I haven't worked with MPLS, but that makes sense.

> I think I strayed a little from original inquiry on just how people

That's the problem with network operations - all those seperate systems
get tangled together...

> are doing separation and walled gardens so I'll take this offline if
> you want to discuss it further.  Suffice to say, I'm not convinced
> 'ideal' is practical.

If only we could get those darn hackers to use the evil bit!

Frank Sweetser fs at wpi.edu
WPI Network Engineer
GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

More information about the ednog mailing list