Re: [PacketFence-users] VLAN isolation and routed networks

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 23-04-2020 18:19, Ludovic Zammit wrote:
> Hello Erik,
>
> If you check the routed network documentation you can see an example 
> for a remote site.
>
> https://packetfence.org/doc/PacketFence_Installation_Guide.html#_routed_networks
>
> With VLAN enforcement you would need to have one registration network 
> - VLAN per remote site.
>
> On that remote registration VLAN interface you would configure an IP 
> helper toward your PacketFence layer2 registration interface. Once you 
> create that, On PacketFence you create the remote registration network 
> and PacketFence would know which IP to distribute based on the network.

I had seen that, thanks. But that seems to imply that PF must be 
configured with each individual network. And I want to avoid that. We 
are talking about many hundreds of sites/networks here. All of this is 
handled by the VPN system already. Each site is provisioned via a web 
portal, where the IP range is defined and sent to the sites DHCP-server.
I could add a module to the VPN system, that sends information about 
each site to PF. But the DHCP service must remain on site. If only to 
prevent problems should a site be unable to contact PF.

>
> You would also need to create a switch configuration on PacketFence to 
> authorize the radius authentication incoming from that remote switch. 
> DHCP and Radius are two separate workflow.

Exactly. And I want to keep them separate. AAA by PF. And DHCP locally.
I don't actually have use case for profiling yet, but does it actually 
require PF to be the DHCP server. Or can it do profiling if a local DHCP 
helper somehow informs PF of which IP was locally assigned to which client?

I guess I will have to look into Fingerbank to see how that works in detail.