Developers guide
Chapter 12
Copyright © 2008-2013 Inverse inc.
Technical introduction
to Inline enforcement 83
∏ Everyone behind an inline interface is on the same Layer 2 LAN
∏ Every packet of authorized users goes through the PacketFence server increasing the servers' load
considerably: Plan ahead for capacity
∏ Every packet of authorized users goes through the PacketFence server: it is a single point of failure
for Internet access
∏ Does not handle routed networks
∏ Ipset can store up to 65536 entries, so it is not possible to have a inline network class upper than B
This is why it is considered a poor man’s way of doing access control. We have avoided it for a long
time because of the above mentioned limitations. That said, being able to perform both inline and VLAN
enforcement on the same server at the same time is a real advantage: it allows users to maintain maximum
security while they deploy new and more capable network hardware providing a clean migration path
to VLAN enforcement.