autoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University <tengi@CS.Princeton.EDU> What’s the problem? Over 1500 hosts Over 100 IP subnets/VLANs 672 user switch ports (currently) 388 wall boxes 1072 patch points 1072 Patch Points Why subnets? Why not a flat network? Broadcast domains User segregation Access Control How we used to do it Email host registration requests Manual host database entry Manual patch installation Switch re-configuration So, what’s wrong with that? Users never get it right the first time Manual host entry is prone to errors Patch panel diving is a pain Did you remember to set the port VLAN? Did you save the switch config? What we wanted Automation! Less user interaction :-) Better accuracy Static switch configuration What we did Automate the host database Automate switch port VLAN assignment Keep everyone in the right place Automating the host database Move to a web-based registration system Use a daemon to process requests Have the daemon rebuild all the database extracts Automating VLAN assignment No more manual switch configuration Any port, any VLAN, any time Use the host MAC address as the key Registration VLAN for unknown hosts The nitty-gritty Tools we used Existing host database FreeRADIUS NetReg Tools we used - Host DB Originally only for administrators Very little field validation Input through a ‘vi’ -based interface Extracts generated manually with ‘make’ Tools we used - FreeRADIUS Config files generated from Host DB Originally implemented for Cisco APs Our user switches could “speak” RADIUS Tools we used - NetReg Web-based data input Two to choose from Carnegie Mellon University Southwestern University Integration: Tying it all together Integration - Host database Web registration form Field validation on the form Automate request processing Integration - RADIUS server Use MAC address to lookup VLAN Add “tunnel” A/V pairs to accept response Unknown MAC addresses are rejected Integration - Hardware First, get a vendor to write code for you Why not 802.1X? Known hosts always land on the right VLAN Locally registered Mobile IP Unknown hosts land on the registration VLAN Integration - NetReg Server Listening on the registration VLAN Answers all DHCP requests Specifies itself as DNS server/gateway Answers any HTTP request Requires a CS username/password Presents the host registration form Sends the completed form for processing Future Enhancements Virus/patch scanning on the registration VLAN Automatic isolation of newly-infected hosts Expand registration VLAN concept to 802.11b Conclusions Automation is a good thing Open Source Software is invaluable Sometimes you can get what you want Acknowledgements Princeton CS Technical Staff Jon Finke Rob Kolstad Availability http://www.CS.Princeton.EDU/autoMAC/