autoMAC: A Tool for Automating Network Moves, Adds, and Changes

1
autoMAC A Tool for Automating Network Moves,
Adds, and Changes

• Christopher J. Tengi
• Princeton University
• lttengi_at_CS.Princeton.EDUgt

2
Whats the problem?

• Over 1500 hosts
• Over 100 IP subnets/VLANs
• 672 user switch ports (currently)
• 388 wall boxes
• 1072 patch points

3
1072 Patch Points
4
Why subnets?

• Why not a flat network?
• Broadcast domains
• User segregation
• Access Control

5
How we used to do it

• Email host registration requests
• Manual host database entry
• Manual patch installation
• Switch re-configuration

6
So, whats wrong with that?

• Users never get it right the first time
• Manual host entry is prone to errors
• Patch panel diving is a pain
• Did you remember to set the port VLAN?
• Did you save the switch config?

7
What we wanted

• Automation!
• Less user interaction -)
• Better accuracy
• Static switch configuration

8
What we did

• Automate the host database
• Automate switch port VLAN assignment
• Keep everyone in the right place

9
Automating the host database

• Move to a web-based registration system
• Use a daemon to process requests
• Have the daemon rebuild all the database extracts

10
Automating VLAN assignment

• No more manual switch configuration
• Any port, any VLAN, any time
• Use the host MAC address as the key
• Registration VLAN for unknown hosts

11
The nitty-gritty
12
Tools we used

• Existing host database
• FreeRADIUS
• NetReg

13
Tools we used - Host DB

• Originally only for administrators
• Very little field validation
• Input through a vi -based interface
• Extracts generated manually with make

14
Tools we used - FreeRADIUS

• Config files generated from Host DB
• Originally implemented for Cisco APs
• Our user switches could speak RADIUS

15
Tools we used - NetReg

• Web-based data input
• Two to choose from
• Carnegie Mellon University
• Southwestern University

16
Integration Tying it all together
17
Integration - Host database

• Web registration form
• Field validation on the form
• Automate request processing

18
Integration - RADIUS server

• Use MAC address to lookup VLAN
• Add tunnel A/V pairs to accept response
• Unknown MAC addresses are rejected

19
Integration - Hardware

• First, get a vendor to write code for you
• Why not 802.1X?
• Known hosts always land on the right VLAN
• Locally registered
• Mobile IP
• Unknown hosts land on the registration VLAN

20
Integration - NetReg Server

• Listening on the registration VLAN
• Answers all DHCP requests
• Specifies itself as DNS server/gateway
• Answers any HTTP request
• Requires a CS username/password
• Presents the host registration form
• Sends the completed form for processing

21
Future Enhancements

• Virus/patch scanning on the registration VLAN
• Automatic isolation of newly-infected hosts
• Expand registration VLAN concept to 802.11b

22
Conclusions

• Automation is a good thing
• Open Source Software is invaluable
• Sometimes you can get what you want

23
Acknowledgements

• Princeton CS Technical Staff
• Jon Finke
• Rob Kolstad

24
Availability

• http//www.CS.Princeton.EDU/autoMAC/