Developers guide

Chapter 11

Technical introduction

to VLAN enforcement 80

You need to create a registration VLAN (with a DHCP server, but no routing to other VLANs) in which

PacketFence will put unregistered devices. If you want to isolate computers which have open violations

in a separate VLAN, an isolation VLAN needs also to be created.

linkUp/linkDown traps

This is the most basic setup and it needs a third VLAN: the MAC detection VLAN. There should be nothing

in this VLAN (no DHCP server) and it should not be routed anywhere; it is just an void VLAN.

When a host connects to a switch port, the switch sends a linkUp trap to PacketFence. Since it takes some

time before the switch learns the MAC address of the newly connected device, PacketFence immediately

puts the port in the MAC detection VLAN in which the device will send DHCP requests (with no answer)

in order for the switch to learn its MAC address. Then pfsetvlan will send periodical SNMP queries to the

switch until the switch learns the MAC of the device. When the MAC address is known, pfsetvlan checks

its status (existing ? registered ? any violations ?) in the database and puts the port in the appropriate

VLAN. When a device is unplugged, the switch sends a linkDown trap to PacketFence which puts the port

into the MAC detection VLAN.

When a computer boots, the initialization of the NIC generates several link status changes. And every

time the switch sends a linkUp and a linkDown trap to PacketFence. Since PacketFence has to act on each

of these traps, this generates unfortunately some unnecessary load on pfsetvlan. In order to optimize

the trap treatment, PacketFence stops every thread for a linkUp trap when it receives a linkDown trap

on the same port. But using only linkUp/linkDown traps is not the most scalable option. For example in

case of power failure, if hundreds of computers boot at the same time, PacketFence would receive a lot

of traps almost instantly and this could result in network connection latency…