Traveling VIPs
Traveling VIPs
(OP)
Here's the situation: At our facilities, we have two classes of user: VIPs (very important persons) and NIPs (not important persons). We would like to prioritize all VIP traffic so that it doesn't get delayed by NIP traffic. We have no problems prioritizing traffic once machines are organized into a VIP and NIP subnet.
To make things fun, most VIPs move around the facility with notebook computers, plugging in to whatever port is convenient. Many of the NIPs do the same. Even more fun, both VIPs and NIPs may take their notebooks home and would like them to work in that setting.
Ideally, we'd like to organize users into the VIP and NIP groups, but can accept basing that decision on the machine (ie. MAC address), but because machines move around, we can't base the decision on the port in use. We would also rather not allow this priority to be completely controlled on the user's machine. (For example, just setting the VLAN ID on the NIC. Then users could easily attain VIP status.)
We have Cisco routers and fairly full-featured switches. (They definitely support VLANs and VLAN tagging/trunking). We have Linux DHCP, DNS, and Samba servers. We also have control of the IP subnets we use as they are private address ranges. We would rather not buy special hardware to achieve our goal, but are open to that possibility.
The best scheme I've come up with (and it's still half-baked) is the following: Set all ports on the switches to accept two VLANs, the default VLAN (ID 1) and the VIP VLAN (ID 2). A VIP user's machine will be set to use the VIP VLAN. The DHCP server will be connected to both VLANs, will divvy out addresses on a default subnet to anybody who asks on the default VLAN, but will restrict addresses on a VIP subnet to machines that ask on the VIP VLAN. In addition, the DHCP server will only give VIP addresses to certain MAC addresses. The problem with this scheme is that I don't think it will work when the user brings their notebook home. (Although maybe typical home networking routers/switches just ignore the VLAN ID on traffic.)
Another option would be to have both subnets exist on a single Ethernet segment. For some reason, this scheme gives me the willies.
Does anybody have any suggestions or pointers that might help me out?
Please and thank-you.
To make things fun, most VIPs move around the facility with notebook computers, plugging in to whatever port is convenient. Many of the NIPs do the same. Even more fun, both VIPs and NIPs may take their notebooks home and would like them to work in that setting.
Ideally, we'd like to organize users into the VIP and NIP groups, but can accept basing that decision on the machine (ie. MAC address), but because machines move around, we can't base the decision on the port in use. We would also rather not allow this priority to be completely controlled on the user's machine. (For example, just setting the VLAN ID on the NIC. Then users could easily attain VIP status.)
We have Cisco routers and fairly full-featured switches. (They definitely support VLANs and VLAN tagging/trunking). We have Linux DHCP, DNS, and Samba servers. We also have control of the IP subnets we use as they are private address ranges. We would rather not buy special hardware to achieve our goal, but are open to that possibility.
The best scheme I've come up with (and it's still half-baked) is the following: Set all ports on the switches to accept two VLANs, the default VLAN (ID 1) and the VIP VLAN (ID 2). A VIP user's machine will be set to use the VIP VLAN. The DHCP server will be connected to both VLANs, will divvy out addresses on a default subnet to anybody who asks on the default VLAN, but will restrict addresses on a VIP subnet to machines that ask on the VIP VLAN. In addition, the DHCP server will only give VIP addresses to certain MAC addresses. The problem with this scheme is that I don't think it will work when the user brings their notebook home. (Although maybe typical home networking routers/switches just ignore the VLAN ID on traffic.)
Another option would be to have both subnets exist on a single Ethernet segment. For some reason, this scheme gives me the willies.
Does anybody have any suggestions or pointers that might help me out?
Please and thank-you.
Talk To Other Members
RE: Traveling VIPs
1.MAC acl for class maps to police/rate-limit traffic.
2.Cisco TACACS+ with AAA authentication/authorization.
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
RE: Traveling VIPs
Funny, I'd always wanted to do the actual shaping by subnet and had never thought of just using the MAC directly. That would definitely work. In fact, it's simpler.
TACACS+ is interesting. I wonder if a RADIUS server could be used to achieve what we're looking for. We're getting used to RADIUS for wireless anyway.
RE: Traveling VIPs
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
RE: Traveling VIPs
There is the issue that non-password information is transmitted in the clear. But his can be avoided. Something to else to put on my TODO list.
RE: Traveling VIPs
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!