home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: nanog@nanog.org Date: Fri, 21 Oct 2016 10:45:15 -0700 From: Leo Bicknell <bicknell@ufp.org> To: nanog@nanog.org Mail-Followup-To: nanog@nanog.org In-Reply-To: <CAExkOzw-74TU1kmdt5dfLYzCmtU8MhyMOg=SZ82QqxLhGrFZ+g@mail.gmail.com> Errors-To: nanog-bounces@nanog.org --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In a message written on Fri, Oct 21, 2016 at 12:02:24PM -0500, Javier Solis= wrote: > In a campus network the challenge becomes extending subnets across your > core. You may have a college that started in one building with their own > /24, but now have offices and labs in other buildings. They want to stay = on > the same network, but that's not feasible with the routed core setup > without some other technology overlay. We end up not being able to extend > the L2 like we did in the past and today we modify router ACL's to allow > communications. If you already have hundreds of vlans spanned across the > network, it's hard to get a campus to migrate to the routed core. I think > this may be one of Marks challenge, correct me if I'm wrong please. FWIW, if I had to solve the "college across buildings with common access control" problem I would create MPLS L3 VPN's, one subnet per building (where it is a VLAN inside of a building), with a "firewall in the cloud" somewhere to get between VLAN's with all of the policy in one place. No risk of the L2 across buildings mess, including broadcast and multicast issues at L2. All tidy L3 routing. Can use a real firewall between L3 VPN instances to get real policy tools (AV, URL Filtering, Malware detection, etc) rather than router ACL's. Scales to huge sizes because it's all L3 based. Combine with 802.1x port authentication and NAC, and in theory every L3 VPN could be in every building, with each port dynamically assigning the VLAN based on the user's login! Imagine never manually configuring them again. Write a script that makes all the colleges (20? 40? 60?) appear in every building all attached to their own MPLS VPN's, and then the NAC handles port assignment. --=20 Leo Bicknell - bicknell@ufp.org PGP keys at http://www.ufp.org/~bicknell/ --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBWApUKrN3O8aJIdTMAQKozw//YOBzl1ATnIM6kbCXxJzyXtHAht1CJCoe wMbs3KDaXgxHTe13rIxzsRLFJrXCqPRDiceKD1B4dbowrp/6UAZqyJOQegm6ICjC /8NrJpHw0Wxk3khhoGzgWloUDHrFzIe8j2kqiAGGzvoJIihORybMgf6seyzN4vBZ BBKdhXqaj4wKlfTYMlrOH8aI+zEbL6ijlmXd+75nvf9N9TaKqHFoizsJnnJhpb8a Yy9IOYSSvGtl7gOdwjznmSubjgmE2h8xCx6f1lFuXSg0SkSiLDyTvDMhdjIYrEa9 l0BMeqTF5lbIEujAwFTKhcInu9sBuprCWWjIfv8MKGXOr+TQEflCepeNOLbhJJOF ZPXHP0Hzt0s7adxb9PTEdHUA2vOjtxtACrX1QM2H6/t9aTkP+X6yu8cpfDUMsgaG dKuv0nvaxHRXD6Wx3fjYDjfJQtviJhsNJVKDzwu/kw217F9f7XDFRki60HWB/u+W 96q56I/k34eyEbi6a0eCs6tJO35X0s/Qsx0CCfFmGGthqzxwU2oXvVzqMINSwwf9 N5VX95+30sykM6KDFJHeodz5zyh8E2mbf9fktm9aQ+rZNmeae+1M4kpwiYu4O0Ev GI8sqfzoGFtQxsic8sNxR0+9+Ak5Ahv4xNUaZEI4JgAhfWeTJY9kuF2JhkNBRykn kG4qgn2ziTY= =3b+r -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG--
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |