VlanByLocation attribution: 'switch exceptions' feature
The VLAN exception option (based on the vlanswitch table) is a feature allowing location dependant VLANs i.e. when VLAN naming is not consistent across switches, or not all VLANs are available on all switches.
Example: lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'. This feature allows us to map the OfficeLAN and PrinterLAN on switch sw101, to the LAN1.
See also the Windows GUI user guide .
How does it work?
Well lets start by examining the SQL table:
mysql> describe vlanswitch; +-----------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-----------+--------------+------+-----+---------+-------+ | vid | int(11) | NO | MUL | | | | swid | int(11) | NO | MUL | | | | vlan_id | int(11) | NO | | | | | vlan_name | varchar(100) | NO | | | |
- The swid field is a lookup/index into the switch table, and tells us to which switch the vlan exception is relevant.
- The vid field is a lookup/index into the vlan table, and is the vlan that was attributed so far, i.e. usually the valn stored in the systems table for the end-device being authenticated.
- The vlan_name is a text field containing the name of the VLAN to be assigned to end-devices that connect to this switch. So it is a valid vlan name on the switch swid.
- vlan_id is the vlan number corresponding to lan_name, but it is not used. It is only for documentation purposes.
Going back to the example, lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'. So both vlans need to be mapped to that.
First, create two entries in the VLAN exception table, using the Windows GUI:
sw101 OfficeLAN LAN1 sw101 PrinterLAN LAN1
In the table there would be entries like the following, assuming that swid=10 indexes to sw101, vid=100 indexes to OfficeLAN, and vid=101 to PrinterLAN:
swid=10, vid=100, vlan_name=LAN1 swid=10, vid=101, vlan_name=LAN1
If Ports.vlanBySwitchLocation() is called in the policy, and lan_by_switch_location is enabled in the config table, we then query vlanswitch table to find the appropriate vlan_name.
- We know the switch IP address, so lookup its index (swid)
- For the end-device connecting, look up its assigned vlan index (vid)
- now query vlanswitch to see if there is a row with swid and vid as above, if yes return vlan_name (the text name of the vlan to be sent back to the switch).
If there are many swicthes and vlans, then the number of rows in the vlanswitch table with le large and difficult to manage.
If there are several small/remote office with only one vlan (for example) and several main building with (say) 30 vlans, then an exception needs to be created for each vlan on each switch, which is alot. One solution for those simple 'one vlan' switches is the new proposed feature 'Vlan attribution by Switch, not by end-device '.
Comments/ideas are welcome.