×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Traveling VIPs

Traveling VIPs

Traveling VIPs

(OP)
Here's the situation: At our facilities, we have two classes of user: VIPs (very important persons) and NIPs (not important persons). We would like to prioritize all VIP traffic so that it doesn't get delayed by NIP traffic. We have no problems prioritizing traffic once machines are organized into a VIP and NIP subnet.

To make things fun, most VIPs move around the facility with notebook computers, plugging in to whatever port is convenient. Many of the NIPs do the same. Even more fun, both VIPs and NIPs may take their notebooks home and would like them to work in that setting.

Ideally, we'd like to organize users into the VIP and NIP groups, but can accept basing that decision on the machine (ie. MAC address), but because machines move around, we can't base the decision on the port in use. We would also rather not allow this priority to be completely controlled on the user's machine. (For example, just setting the VLAN ID on the NIC. Then users could easily attain VIP status.)

We have Cisco routers and fairly full-featured switches. (They definitely support VLANs and VLAN tagging/trunking). We have Linux DHCP, DNS, and Samba servers. We also have control of the IP subnets we use as they are private address ranges. We would rather not buy special hardware to achieve our goal, but are open to that possibility.

The best scheme I've come up with (and it's still half-baked) is the following: Set all ports on the switches to accept two VLANs, the default VLAN (ID 1) and the VIP VLAN (ID 2). A VIP user's machine will be set to use the VIP VLAN. The DHCP server will be connected to both VLANs, will divvy out addresses on a default subnet to anybody who asks on the default VLAN, but will restrict addresses on a VIP subnet to machines that ask on the VIP VLAN. In addition, the DHCP server will only give VIP addresses to certain MAC addresses. The problem with this scheme is that I don't think it will work when the user brings their notebook home. (Although maybe typical home networking routers/switches just ignore the VLAN ID on traffic.)

Another option would be to have both subnets exist on a single Ethernet segment. For some reason, this scheme gives me the willies.

Does anybody have any suggestions or pointers that might help me out?

Please and thank-you.

RE: Traveling VIPs

Your dhcp option is easily bypassed by someone statically setting their ip address.

1.MAC acl for class maps to police/rate-limit traffic.
2.Cisco TACACS+ with AAA authentication/authorization.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

RE: Traveling VIPs

(OP)
Good point regarding just setting a static IP. I'd neglected to put that detail into my description. We can set MAC ACLs on our routers and switches to deal with that.

Funny, I'd always wanted to do the actual shaping by subnet and had never thought of just using the MAC directly. That would definitely work. In fact, it's simpler.

TACACS+ is interesting. I wonder if a RADIUS server could be used to achieve what we're looking for. We're getting used to RADIUS for wireless anyway.

RE: Traveling VIPs

Yes, it should, but with weaker authentication encryption (in fact, none-all clear text)...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

RE: Traveling VIPs

(OP)
It is not my impression that RADIUS necessarily requires clear text password transmission for authentication. At least, not according to http://en.wikipedia.org/wiki/RADIUS.

There is the issue that non-password information is transmitted in the clear. But his can be avoided. Something to else to put on my TODO list.

RE: Traveling VIPs

You're right---all BUT the passwords are encrypted. CHAP is only unidirectional in RADIUS, and there is no ARA or NetBEUI (who cares...lol) support. Also, for AAA, the architecture is not independent as in TACACS+---authentication and authorization are combined. TACACS+ is the best for router management, but for your situation RADIUS should work just fine. People often set up an IPSEC tunnel/GRE tunnel (with IPSEC, or using profiles...VTI)to work with RADIUS so that the data is protected.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close