Re: Using ippool with two radius servers?

2002-05-17 Thread Miquel van Smoorenburg 

In article <00a101c1fd56$61050be0$b800a8c0@kelvindell>,
Echo FreeRadius <[EMAIL PROTECTED]> wrote:
>For example we are in the process of putting in 4 Nortel CVX 1800's with
>1288 lines each all in one large roll over (5152 lines) in the GTA (Greater
>Toronto Area)
>
>From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10
>different ISP's  Each ISP wants their customers to receive an address form
>their IP block so it resolves back to their company.  This is done for
>several reasons controlling access to SMTP servers and other resources as
>well as just for appearance so that their customers can't see that we use
>the same dial-up ports.

So you create 1 pool for each ISP on each CVX. The CVX supports
multiple pools, and you can tell it which pool to use using a
radius attribute. If you have 4 CVXes, just make each pool 25%
of the max. number of dialin lines an ISP may use. Well maybe
a bit larger to allow for not-perfect distribution of clients
over the 4 CVXes.

Mike.
-- 
"Insanity -- a perfectly rational adjustment to an insane world."
  - R.D. Lang


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

2002-05-17 Thread Alan DeKok 

"Echo FreeRadius" <[EMAIL PROTECTED]> wrote:
> For example we are in the process of putting in 4 Nortel CVX 1800's with
> 1288 lines each all in one large roll over (5152 lines) in the GTA (Greater
> Toronto Area)
> 
> >From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10
> different ISP's
...
> Anyway we wouldn't want each ISP to have to assign 1288 IP's to each NAS as
> this would be a large waste of IP addresses.  If we can have radius assign
> IP's then this greatly reduces the number of IP's allocated.

  This means that a particular IP address can be assigned on the fly
to any one of 4 NAS boxes.  In order to route the packet to the
correct NAS, you've got to add a new route for that IP.  This means
(as Miquel said) thousands of routes, and hundreds of route flaps.

  I'm not sure how else to do it.  Bridging and a smart switch may
help, but then you've got to forcibly expire arp entries in the
switch, and add new ones, when an IP address moves from NAS to NAS.
That may be hard.

> Again for redundancy and performance we will likely have 2-4 radius
> servers per company depending on the redundancy level they
> require. The sharing of IP's between radius server IPpools is a
> great asset.

  It's also hard.  You get into consistency issues, where the
"sharing" may only done every so often, but customers may switch IP's
and re-dial more often than that.


  I would think about the issues VERY carefully before implementing
such a large and complicated network.  Be very sure that you can do
everything needed to make it work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

2002-05-16 Thread Echo FreeRadius 


Another example of where you would need IP's assigned from radius instead of
a NAS is in the case of VPOP's / Virtual ISP's


For example we are in the process of putting in 4 Nortel CVX 1800's with
1288 lines each all in one large roll over (5152 lines) in the GTA (Greater
Toronto Area)

>From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10
different ISP's  Each ISP wants their customers to receive an address form
their IP block so it resolves back to their company.  This is done for
several reasons controlling access to SMTP servers and other resources as
well as just for appearance so that their customers can't see that we use
the same dial-up ports.

Anyway we wouldn't want each ISP to have to assign 1288 IP's to each NAS as
this would be a large waste of IP addresses.  If we can have radius assign
IP's then this greatly reduces the number of IP's allocated.  Again for
redundancy and performance we will likely have 2-4 radius servers per
company depending on the redundancy level they require. The sharing of IP's
between radius server IPpools is a great asset.

Kelvin Hockin
Echo OnLine Internet Inc.
http://www.eol.ca

- Original Message -
From: "Simon Allard" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 16, 2002 5:36 PM
Subject: RE: Using ippool with two radius servers?


> > > > Ah, you only have one terminal server with 30.000 ports on it?
> > > > In that case, route the /17 to that NAS and be done with it.
> > > > But you likely have tens or hundreds of NASes.
> > > >
> > > > Either you're way ahead of me, or you really need to think this
over.
> > >
> > > I think I'm ahead of you :-) Believe me, routing is not an
issue
> > > here, I do have a /17 block with summarized pools in a way that I only
> > > need one static route per NAS (there are 20 of them). No need to use
> > > dinamic routing.
> >
> > Okay, you have a fixed pool assigned to each NAS.  I still fail to see
> > why you don't want the NAS to each handle the assignment of their own
> > pools?  But then what the heck do I know about building a big network...
>
>
> I have the same requirment (ippool over multiple radius servers).
> SOmetimes allocating IPs from the NAS will just not work.
>
> For example say we have 4000 dialin ports. We allocate the IPs from the
> NAS for those users. All good.
>
> But we have a different bunch of users. Eg Sat routed users. They need a
> different IP Pool. There are not enough customers to warrent putting
> another pool on each NAS box. This is where IPpool works nicley.
>
> Most bighish ISP's need more than 1 radius server. We have 6 load
> balanced behind a layer 4 switch.
>
>
>
> Simon Allard (Senior Tool Monkey)
> IHUG
> Ph (09) 358-5067   Email: [EMAIL PROTECTED]
>
> I'm out of my mind right now, but feel free to leave a message.
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-16 Thread Simon Allard 

> > > Ah, you only have one terminal server with 30.000 ports on it?
> > > In that case, route the /17 to that NAS and be done with it.
> > > But you likely have tens or hundreds of NASes.
> > >
> > > Either you're way ahead of me, or you really need to think this over.
> >
> > I think I'm ahead of you :-) Believe me, routing is not an issue
> > here, I do have a /17 block with summarized pools in a way that I only
> > need one static route per NAS (there are 20 of them). No need to use
> > dinamic routing.
>
> Okay, you have a fixed pool assigned to each NAS.  I still fail to see
> why you don't want the NAS to each handle the assignment of their own
> pools?  But then what the heck do I know about building a big network...


I have the same requirment (ippool over multiple radius servers).
SOmetimes allocating IPs from the NAS will just not work.

For example say we have 4000 dialin ports. We allocate the IPs from the
NAS for those users. All good.

But we have a different bunch of users. Eg Sat routed users. They need a
different IP Pool. There are not enough customers to warrent putting
another pool on each NAS box. This is where IPpool works nicley.

Most bighish ISP's need more than 1 radius server. We have 6 load
balanced behind a layer 4 switch.



Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-16 Thread Chris Parker 

At 04:58 PM 5/16/2002 -0300, Gelson Dias Santos wrote:

> > From: Miquel van Smoorenburg 
> [mailto:[EMAIL PROTECTED]]
>
> > Ah, you only have one terminal server with 30.000 ports on it?
> > In that case, route the /17 to that NAS and be done with it.
> > But you likely have tens or hundreds of NASes.
> >
> > Either you're way ahead of me, or you really need to think this over.
>
> I think I'm ahead of you :-) Believe me, routing is not an issue 
> here, I do have a /17 block with summarized pools in a way that I only 
> need one static route per NAS (there are 20 of them). No need to use 
> dinamic routing.

Okay, you have a fixed pool assigned to each NAS.  I still fail to see
why you don't want the NAS to each handle the assignment of their own
pools?  But then what the heck do I know about building a big network...

I've spoken my bit here, so I'll stop flogging the deceased equine.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-16 Thread Gelson Dias Santos 
Title: RE: Using ippool with two radius servers?







> From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]]


> > Why should I have 30.000 host routes
> 
> Well, you're talking about 30.000 ports. If you are going to
> assign each of them an IP address using radius, you need
> a routing protocol to get the packets to the NAS.
> 
> >All I have is one /17
> >summarized route. All those IP's are on the same CIDR block.
> 
> Ah, you only have one terminal server with 30.000 ports on it?
> In that case, route the /17 to that NAS and be done with it.
> But you likely have tens or hundreds of NASes.
> 
> Either you're way ahead of me, or you really need to think this over.


    I think I'm ahead of you :-) Believe me, routing is not an issue here, I do have a /17 block with summarized pools in a way that I only need one static route per NAS (there are 20 of them). No need to use dinamic routing.

    Chris also suggested I should learn a bit more about ip routing. Well, we should always learn more, isn't it? But after 18 years of experience in IP networks I think I known how to route packets. 

    The answer I was looking for was given by Chris: the ip pool module can't handle a pool so large. Anyway, it can't syncronize pools of any size between two Radius servers, so I'll need to find another solution, or another Radius server.

    Thanks all,
--
Gelson Dias Santos  ([EMAIL PROTECTED])
Backbone & Network Security
Vant Telecomunicações S.A.
http://www.vant.com.br





 

Re: Using ippool with two radius servers?

2002-05-15 Thread Miquel van Smoorenburg 

In article <[EMAIL PROTECTED]>,
Gelson Dias Santos  <[EMAIL PROTECTED]> wrote:
>> -Original Message-
>> From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]]
>
>> >Yes, I kown I can have 'N' different ip pools 
>> configured, one for
>> >each NAS , but I'm talking about 30.000 dial ports, so I 
>> can't allocate
>> >30.000 * N ips available.
>> 
>> In that case you are also talking about 30.000 routes in your
>> internal routing protocol - and with that many dialup ports,
>> hundreds of route-flaps per second.
>> 
>> It won't work. Your network and routers will fall over
>> and die screaming.
>
>   Why should I have 30.000 host routes

Well, you're talking about 30.000 ports. If you are going to
assign each of them an IP address using radius, you need
a routing protocol to get the packets to the NAS.

>All I have is one /17
>summarized route. All those IP's are on the same CIDR block.

Ah, you only have one terminal server with 30.000 ports on it?
In that case, route the /17 to that NAS and be done with it.
But you likely have tens or hundreds of NASes.

Either you're way ahead of me, or you really need to think this over.

Mike.
-- 
"Insanity -- a perfectly rational adjustment to an insane world."
  - R.D. Lang


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-15 Thread Gelson Dias Santos 
Title: RE: Using ippool with two radius servers?







> -Original Message-
> From: Chris Parker [mailto:[EMAIL PROTECTED]]
 
> > Is there a way to syncronize the ip databases 
> between two (or 
> > more) radius servers when using module ippool? If not, how 
> do we avoid 
> > giving the same ip to two users at the same time if the primay and 
> > secondary radius does not share infop about the ips already in use?


> 
> Why would you not want the NAS to handle their own ip pools?
> 
> -Chris


    This is the way things work right now, but I need to add different classes of services, like dial backup and VPDN using the same dial ports, and these services require different ip addresses than those in the NAS pools. So, I have to set different pools for different classes of users. 

    I was thinking about use hints to differentiate users, so a user xxx.vpdn could match an entry like this:


    DEFAULT Hint == "vpdn", Pool-Name := vpdnpool


    But then, how do I avoid conflict when allocating IP's from pool vpdnpool if I have two Radius servers?


    Gelson

Re: Using ippool with two radius servers?

2002-05-15 Thread Alan DeKok 

Gelson Dias Santos <[EMAIL PROTECTED]> wrote:
>   Back to the original question; can I have two Radius server managing
> the same IP address pool?

  It's difficult.  Both RADIUS servers have to be kep in PERFECT
synchronization, otherwise duplicate IP's are assigned.

  Your best bet may be to come up with some other solution...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-15 Thread Chris Parker 

At 05:28 PM 5/15/2002 -0300, Gelson Dias Santos wrote:


> > -Original Message-
> > From: Miquel van Smoorenburg 
> [mailto:[EMAIL PROTECTED]]
>
> > > Yes, I kown I can have 'N' different ip pools
> > configured, one for
> > >each NAS , but I'm talking about 30.000 dial ports, so I
> > can't allocate
> > >30.000 * N ips available.
> >
> > In that case you are also talking about 30.000 routes in your
> > internal routing protocol - and with that many dialup ports,
> > hundreds of route-flaps per second.
> >
> > It won't work. Your network and routers will fall over
> > and die screaming.
>
> Why should I have 30.000 host routes All I have is one /17 
> summarized route. All those IP's are on the same CIDR block.

Uhm.  Unless you have only one NAS, you'll have major issues.  Each
user will get a /32 ip.  If you have many NAS and the /32's are handed
out by the radius server, then you need to have all the NAS telling
each other about which /32's they have connected.

If that is not clear, you need to study routing, route summarization,
and ip subnetting some more.

>Back to the original question; can I have two Radius server 
> managing the same IP address pool?

No.  ( And you really really really don't want to for 30,000 ips ).

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

2002-05-15 Thread Gelson Dias Santos 
Title: RE: Using ippool with two radius servers?







> -Original Message-
> From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]]


> > Yes, I kown I can have 'N' different ip pools 
> configured, one for
> >each NAS , but I'm talking about 30.000 dial ports, so I 
> can't allocate
> >30.000 * N ips available.
> 
> In that case you are also talking about 30.000 routes in your
> internal routing protocol - and with that many dialup ports,
> hundreds of route-flaps per second.
> 
> It won't work. Your network and routers will fall over
> and die screaming.


    Why should I have 30.000 host routes All I have is one /17 summarized route. All those IP's are on the same CIDR block.

    Back to the original question; can I have two Radius server managing the same IP address pool?


    Gelson

Re: Using ippool with two radius servers?

2002-05-15 Thread Miquel van Smoorenburg 

In article <[EMAIL PROTECTED]>,
Gelson Dias Santos  <[EMAIL PROTECTED]> wrote:
>   Is there a way to syncronize the ip databases between two (or more)
>radius servers when using module ippool? If not, how do we avoid giving the
>same ip to two users at the same time if the primay and secondary radius
>does not share infop about the ips already in use?
>   Yes, I kown I can have 'N' different ip pools configured, one for
>each NAS , but I'm talking about 30.000 dial ports, so I can't allocate
>30.000 * N ips available.

In that case you are also talking about 30.000 routes in your
internal routing protocol - and with that many dialup ports,
hundreds of route-flaps per second.

It won't work. Your network and routers will fall over
and die screaming.

Mike.
-- 
"Insanity -- a perfectly rational adjustment to an insane world."
  - R.D. Lang


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

2002-05-15 Thread Chris Parker 

At 03:51 PM 5/15/2002 -0300, Gelson Dias Santos wrote:

> Is there a way to syncronize the ip databases between two (or 
> more) radius servers when using module ippool? If not, how do we avoid 
> giving the same ip to two users at the same time if the primay and 
> secondary radius does not share infop about the ips already in use?
>
> Yes, I kown I can have 'N' different ip pools configured, one for 
> each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 
> 30.000 * N ips available.

Why would you not want the NAS to handle their own ip pools?

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using ippool with two radius servers?

2002-05-15 Thread Gelson Dias Santos 
Title: Using ippool with two radius servers?





    Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use?

    Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available.

    Gelson