<HTML><HEAD>
<META content="text/html; charset=iso-8859-15" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16671"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI">
<DIV> I agree breaking the network up into separate VLANs then routing between them would help with broadcasting but I do not agree that hashing values and then using those hashing values as we randomizing agents to distribute vlans. There has to be a more elegant way to do this, I believe there is.</DIV>
<DIV> </DIV>
<DIV> First off by randomizing what network a host is going to be on is going to be extremely confusing when you try and troubleshoot other issues, for instance a virus outbreak, now you have to figure out who is on what subnet and who is sending what etc.. I can think of a lot of other issues that would cause headaches, suffice to say it is not a good idea.</DIV>
<DIV> </DIV>
<DIV> The better way to do this is to break people up by some logical means, such as Accounting, testing, personnel etc. Then create groups and assign group ids based on the users in those groups. This gives the benefit of segmenting and securing like minded traffic as well, maybe accounting can only talk to accounting, personnel can only talk to these servers, or those servers etc. Of course you would have to route to other subnets if you want them to talk but now you have control to say only this group of people can talk to that group of people and not just open it up for everyone. </DIV>
<DIV> </DIV>
<DIV> Even if you assign users by Group1, Group2, Group3 and you have a virus outbreak now you can at least look at it and say right away all Group1 subnet is crazy and have a list of all the stations/users in that group.</DIV>
<DIV> </DIV>
<DIV> Anyway, that is my 2 cents on the whole deal.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>
<DIV>Brett Littrell</DIV>
<DIV>Network Manager</DIV>
<DIV>MUSD</DIV>
<DIV>CISSP, CCSP, CCVP, MCNE</DIV></DIV>
<DIV> </DIV>
<DIV>>>> On Thursday, February 17, 2011 at 11:26 AM, in message <fc9038-7cg.ln1@chipmunk.wormnet.eu>, Alexander Clouter <alex@digriz.org.uk> wrote:<BR></DIV>
<TABLE style="MARGIN: 0px 0px 0px 15px; FONT-SIZE: 1em" border=0 bgColor=#f3f3f3>
<TBODY>
<TR>
<TD>
<DIV style="BORDER-LEFT: #050505 1px solid; PADDING-LEFT: 7px">schilling <schilling2006@gmail.com> wrote:<BR>> <BR>> I get dynamic VLAN assignment working in post-auth section with <BR>> help/hints from a lot of list members. Now I want to do one more <BR>> steps. I would like to hash the username or mac-address to distribute <BR>> users to different VLANs. The idea is to use freeradius to spread the <BR>> load on different smaller subnets to reduce the broadcast in bigger <BR>> VLANs.<BR>><BR>You are however not reducing the broadcast domain, you might be <BR>segregating the noise though. If you have large L2 broadcast domains, <BR>splitting people up into different VLAN's is not going to in effect <BR>solve the problem.<BR><BR>For background noise, you can actually reduce chatter by asking Windows <BR>clients to disable NetBEUI via DHCP and configure switches/wifi to not <BR>forward client<->client traffic where appropriate. For wireless networks <BR>you can also kill a lot of multicast traffic (5353/udp is a good example <BR>I would say).<BR><BR>Another possible work around is that VLAN 'facstaff' at site A is not <BR>the same broadcast domain at site B.<BR><BR>Better still, L3 is the way to go. We have and it solves a lot of <BR>problems, although there is upfront migration pains.<BR><BR>> For example I want to do the following<BR>> if ( "%{User-Name}" !~ /@/ ) {<BR>> if ( %{User-Name}%2 == 0 ) {<BR>> update reply {<BR>> Service-Type = "Framed-User"<BR>> Tunnel-Type = "VLAN"<BR>> Tunnel-Medium-Type = "IEEE-802"<BR>> Tunnel-Private-Group-Id = "facstaff0"<BR>> }<BR>> elsif ( %{User-Name}%2 == 1 ) {<BR>> update reply {<BR>> Service-Type = "Framed-User"<BR>> Tunnel-Type = "VLAN"<BR>> Tunnel-Medium-Type = "IEEE-802"<BR>> Tunnel-Private-Group-Id = "facstaff1"<BR>> }<BR>> }<BR>> }<BR>> <BR>> Will I be able to do this in the post-auth with unlang?<BR>><BR>You probably would get better millege calling on 'md5' xlat, I think <BR>the following sort of thing will work:<BR>----<BR>authorise {<BR> update reply {<BR> Service-Type := Framed-User<BR> Tunnel-Type := VLAN<BR> Tunnel-Medium-Type := IEEE-802<BR> }<BR><BR> # kludge to fake substr()<BR> if (%{md5:%{User-Name}} =~ /^(.)/) {<BR> if (%{1} =~ /^[0-7]/) {<BR> update reply {<BR> Tunnel-Private-Group-Id := "facstaff0"<BR> }<BR> } else {<BR> update reply {<BR> Tunnel-Private-Group-Id := "facstaff1"<BR> }<BR> }<BR> }<BR>}<BR>---- <BR><BR>I would recommend L3-ising your network though if possible and as the <BR>rubberband-aid use DHCP/ACL's to keep broadcast/multicast traffic noise <BR>to a minimum.<BR><BR>Cheers<BR><BR>-- <BR>Alexander Clouter<BR>.sigmonster says: RAM wasn't built in a day.<BR><BR>-<BR>List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR></DIV></TD></TR></TBODY></TABLE></BODY></HTML>