Hash username or mac address to assign user to different vlan

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 18 16:00:48 CET 2011


On 18/02/11 14:52, schilling wrote:
> I can explain my environment.

This is getting OT for the list, and will be my last post.

> We are migrating from traditional captive portal to new 802.1x
> WPA2-Enterprise, from fat AP to controller based wireless
> architecture,  Wireless mobility comes into play too.  At the same
> time, how to maintain the traditional source-based IP ACL/Firewall? We
> already implemented MPLS VPN based network virtualization, so we want
> to utilize both MPLS VPN and newer wireless architecture.  That's why.

I'm not suggesting that you shouldn't do *any* VLAN assignment. We do 
VLAN assignment on wireless, and in fact each VLAN is inside an MPLS 
VPN, so we're doing something similar to you.

I'm only suggesting that hashing or any other "load balancing" scheme to 
keep ~N clients in each of X VLANs might be either unnecessary or 
possibly even harmful.

>
> Another thing is big VLAN broadcast scalability. So we want to chop
> off users in different VLANs at first by hash, later will try to
> implement group based VLAN assignment.

But why? Many (most?) controller-based wireless systems don't suffer 
from broadcast scalability problems. For example, our Cisco WiSMs simply 
don't forward broadcasts. They proxy ARP requests and handle the DHCP 
internally, so there's no need for clients to send broadcasts.

I would talk to your vendor to see if they have a similar solution.



More information about the Freeradius-Users mailing list