[192149] in North American Network Operators' Group
Re: MPLS in the campus Network?
daemon@ATHENA.MIT.EDU (David Bass)
Fri Oct 21 17:51:35 2016
X-Original-To: nanog@nanog.org
From: David Bass <davidbass570@gmail.com>
In-Reply-To: <20161021174514.GA48761@ussenterprise.ufp.org>
Date: Fri, 21 Oct 2016 17:51:28 -0400
To: Leo Bicknell <bicknell@ufp.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
This is exactly what we are recommending and building for our customers in t=
hat space. Most of the time the university network acts as a provider, so to=
me it only makes sense to use that type of tech. The biggest problem then i=
s support, which could be something they are unwilling or unable to overcome=
.=20
> On Oct 21, 2016, at 1:45 PM, Leo Bicknell <bicknell@ufp.org> wrote:
>=20
> In a message written on Fri, Oct 21, 2016 at 12:02:24PM -0500, Javier Soli=
s wrote:
>> In a campus network the challenge becomes extending subnets across your
>> core. You may have a college that started in one building with their own
>> /24, but now have offices and labs in other buildings. They want to stay o=
n
>> the same network, but that's not feasible with the routed core setup
>> without some other technology overlay. We end up not being able to extend=
>> the L2 like we did in the past and today we modify router ACL's to allow
>> communications. If you already have hundreds of vlans spanned across the
>> network, it's hard to get a campus to migrate to the routed core. I think=
>> this may be one of Marks challenge, correct me if I'm wrong please.
>=20
> FWIW, if I had to solve the "college across buildings with common
> access control" problem I would create MPLS L3 VPN's, one subnet
> per building (where it is a VLAN inside of a building), with a
> "firewall in the cloud" somewhere to get between VLAN's with all
> of the policy in one place.
>=20
> No risk of the L2 across buildings mess, including broadcast and
> multicast issues at L2. All tidy L3 routing. Can use a real
> firewall between L3 VPN instances to get real policy tools (AV, URL
> Filtering, Malware detection, etc) rather than router ACL's. Scales
> to huge sizes because it's all L3 based.
>=20
> Combine with 802.1x port authentication and NAC, and in theory every
> L3 VPN could be in every building, with each port dynamically assigning
> the VLAN based on the user's login! Imagine never manually configuring
> them again. Write a script that makes all the colleges (20? 40? 60?)
> appear in every building all attached to their own MPLS VPN's, and
> then the NAC handles port assignment.
>=20
> --=20
> Leo Bicknell - bicknell@ufp.org
> PGP keys at http://www.ufp.org/~bicknell/
