Limiting addresses per user for users with more than one circuit-id

[Ilkka Virta]

On 15.12. 19:36, Niall O'Reilly wrote:
> At Mon, 15 Dec 2014 13:48:28 +0200,
> Ilkka Virta wrote:
>> We have users (student apartments) who get addresses from DHCP, and we
>> need to limit the number of addresses given to each user, so that
>> nobody can hoard all the addresses in the network.

>    After a quick look at www.iki.fi, the following thoughts come to me.

Oh, iki has actually nothing to do with this, except forwarding my 
(personal) email. :)

>    Have you considered whether RADIUS fits your use-case?

We actually use RADIUS currently, but the fact that it involves keeping 
state on the border switches has caused some slight problems in the 
current system. (but that's also because the current system sucks for 
its own reasons.)

In any case, IP addresses being the limiting factor, it would feel 
logical to do control on that layer, hence the original thought.
RADIUS may still be one way to do it, will have to see what comes.

>    If DHCP is still the closest fit, perhaps running a custom DHCP
>    relay (maybe upstream of the embedded relay instances in your
>    routers), which could mangle the circuit-ids as you suggest, would
>    be the way to build a solution.

May be the easiest way to do this with DHCP only. The mangling relay 
wouldn't perhaps even need to act as a relay in full, just to change the 
relevant fields.

And no, I don't the Procurve switches we have support any port labeling 
for option 82.

About latency, some kind of a database lookup would be required 
regardless of the implementation, but I don't think it should be a 
problem since DHCP clients will happily wait even a couple of seconds.
RADIUS would cause latency too, and with it all traffic might just be 
dropped by the switch until a response is received.



-- 
Ilkka Virta <itvirta at iki.fi>