Hash username or mac address to assign user to different vlan

Kenneth Marshall ktm at rice.edu
Fri Feb 18 16:12:03 CET 2011


On Fri, Feb 18, 2011 at 03:00:48PM +0000, Phil Mayers wrote:
> On 18/02/11 14:52, schilling wrote:
>> I can explain my environment.
>
> This is getting OT for the list, and will be my last post.
>
>> We are migrating from traditional captive portal to new 802.1x
>> WPA2-Enterprise, from fat AP to controller based wireless
>> architecture,  Wireless mobility comes into play too.  At the same
>> time, how to maintain the traditional source-based IP ACL/Firewall? We
>> already implemented MPLS VPN based network virtualization, so we want
>> to utilize both MPLS VPN and newer wireless architecture.  That's why.
>
> I'm not suggesting that you shouldn't do *any* VLAN assignment. We do VLAN 
> assignment on wireless, and in fact each VLAN is inside an MPLS VPN, so 
> we're doing something similar to you.
>
> I'm only suggesting that hashing or any other "load balancing" scheme to 
> keep ~N clients in each of X VLANs might be either unnecessary or possibly 
> even harmful.
>

Of course balancing does not matter if each of your VLANs can support
your entire complement of users. We are not that lucky and need to
spread the assignments out.

Cheers,
Ken

>>
>> Another thing is big VLAN broadcast scalability. So we want to chop
>> off users in different VLANs at first by hash, later will try to
>> implement group based VLAN assignment.
>
> But why? Many (most?) controller-based wireless systems don't suffer from 
> broadcast scalability problems. For example, our Cisco WiSMs simply don't 
> forward broadcasts. They proxy ARP requests and handle the DHCP internally, 
> so there's no need for clients to send broadcasts.
>




More information about the Freeradius-Users mailing list