[192143] in North American Network Operators' Group
Re: MPLS in the campus Network?
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Fri Oct 21 13:45:22 2016
X-Original-To: nanog@nanog.org
Date: Fri, 21 Oct 2016 10:45:15 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAExkOzw-74TU1kmdt5dfLYzCmtU8MhyMOg=SZ82QqxLhGrFZ+g@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Fri, Oct 21, 2016 at 12:02:24PM -0500, Javier Solis=
wrote:
> In a campus network the challenge becomes extending subnets across your
> core. You may have a college that started in one building with their own
> /24, but now have offices and labs in other buildings. They want to stay =
on
> the same network, but that's not feasible with the routed core setup
> without some other technology overlay. We end up not being able to extend
> the L2 like we did in the past and today we modify router ACL's to allow
> communications. If you already have hundreds of vlans spanned across the
> network, it's hard to get a campus to migrate to the routed core. I think
> this may be one of Marks challenge, correct me if I'm wrong please.
FWIW, if I had to solve the "college across buildings with common
access control" problem I would create MPLS L3 VPN's, one subnet
per building (where it is a VLAN inside of a building), with a
"firewall in the cloud" somewhere to get between VLAN's with all
of the policy in one place.
No risk of the L2 across buildings mess, including broadcast and
multicast issues at L2. All tidy L3 routing. Can use a real
firewall between L3 VPN instances to get real policy tools (AV, URL
Filtering, Malware detection, etc) rather than router ACL's. Scales
to huge sizes because it's all L3 based.
Combine with 802.1x port authentication and NAC, and in theory every
L3 VPN could be in every building, with each port dynamically assigning
the VLAN based on the user's login! Imagine never manually configuring
them again. Write a script that makes all the colleges (20? 40? 60?)
appear in every building all attached to their own MPLS VPN's, and
then the NAC handles port assignment.
--=20
Leo Bicknell - bicknell@ufp.org
PGP keys at http://www.ufp.org/~bicknell/
--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBWApUKrN3O8aJIdTMAQKozw//YOBzl1ATnIM6kbCXxJzyXtHAht1CJCoe
wMbs3KDaXgxHTe13rIxzsRLFJrXCqPRDiceKD1B4dbowrp/6UAZqyJOQegm6ICjC
/8NrJpHw0Wxk3khhoGzgWloUDHrFzIe8j2kqiAGGzvoJIihORybMgf6seyzN4vBZ
BBKdhXqaj4wKlfTYMlrOH8aI+zEbL6ijlmXd+75nvf9N9TaKqHFoizsJnnJhpb8a
Yy9IOYSSvGtl7gOdwjznmSubjgmE2h8xCx6f1lFuXSg0SkSiLDyTvDMhdjIYrEa9
l0BMeqTF5lbIEujAwFTKhcInu9sBuprCWWjIfv8MKGXOr+TQEflCepeNOLbhJJOF
ZPXHP0Hzt0s7adxb9PTEdHUA2vOjtxtACrX1QM2H6/t9aTkP+X6yu8cpfDUMsgaG
dKuv0nvaxHRXD6Wx3fjYDjfJQtviJhsNJVKDzwu/kw217F9f7XDFRki60HWB/u+W
96q56I/k34eyEbi6a0eCs6tJO35X0s/Qsx0CCfFmGGthqzxwU2oXvVzqMINSwwf9
N5VX95+30sykM6KDFJHeodz5zyh8E2mbf9fktm9aQ+rZNmeae+1M4kpwiYu4O0Ev
GI8sqfzoGFtQxsic8sNxR0+9+Ak5Ahv4xNUaZEI4JgAhfWeTJY9kuF2JhkNBRykn
kG4qgn2ziTY=
=3b+r
-----END PGP SIGNATURE-----
--OgqxwSJOaUobr8KG--
