RE: [Netpass-users] NetPass installation?
Brought to you by:
jeffmurphy
Menu
▾
▴
RE: [Netpass-users] NetPass installation?
|
From: Jeff M. <jcm...@os...> - 2005-06-08 20:48:50
|
On Wed, 2005-06-08 at 14:13 -0500, Harding, Troy wrote: > Okay. I now understand much better how things fit together. Thanks Jeff! > Here's answers to the questions you asked: > > > did we put something in the doc about endace? > > That was on Part 2c which gives instructions to "Configure Snort to work > with endace cards". I guess that is really more of an add-on to NetPass. yes. that's an add-on. and you dont really need the endace cards for snort unless you are having performance problems on your snort box (due to high volume). certainly at FE speeds, almost any generic PC should be able to run snort with no serious performance issues. > > > what equipment(switches & routers) are you using? > > We're currently just implementing this on a small satellite campus of > K-State University. The dorms are connected directly to the campus network > through Cisco 2924 switches. There is no router between the dorms and the > campus network. All SNMP traffic is currently isolated on a separate VLAN. > I guess that means that we'll need three interfaces on the NetPass server: > Quar, Unquar, and SNMP VLAN. Does that sound reasonable? the netpass server still gets 2 physical interfaces. eth0 sits on the routable network (facing towards your core) and snmp instructions are sent out that interface. the switch management interfaces need to be on a separate subnet/vlan for netpass to work. at UB, all of our resnet switches are on a single subnet, for management, and that subnet is assigned a separate vlan. that subnet and vlan arent part of the netpass config. eth1 points towards your resnet and you will bridge/trunk all of the resnet vlans (both quar and unquar) back to the netpass server. netpass then brings up tagged virtual interfaces for each vlan. so if you do an ifconfig you see things like: eth0 128.205.1.26/24 eth1 0.0.0.0 eth1.100 0.0.0.0 eth1.800 128.205.100.254/24 eth1.101 0.0.0.0 eth1.801 128.205.101.254/24 where eth1 isnt used. eth1.100 and eth1.101 are the unquarantined vlans and are not configured with an IP address (but are still useful and in some cases required for netpass - so make sure they are bridged back). eth1.800 and eth1.801 are the two quarantine vlans. they are assigned the same gateway as is assigned to the router that gateways for those subnets. when the client is in quarantine, the gateway swings from the router to the netpass server. when you say "the dorms are connected directly to the campus network through Cisco 2924 switches" can you elaborate? are you routed at all internally? can you provide a picture? look at http://netpass.sf.net/ov/network1.png it's a diagram we used a while back to help illustrate how routing/addressing/bridging works with netpass. jeff |
