MPLS in the campus Network?
youssef.ghorbal at gmail.com
Fri Oct 21 20:18:07 UTC 2016
> FWIW, if I had to solve the "college across buildings with common
> access control" problem I would create MPLS L3 VPN's, one subnet
> per building (where it is a VLAN inside of a building), with a
> "firewall in the cloud" somewhere to get between VLAN's with all
> of the policy in one place.
> No risk of the L2 across buildings mess, including broadcast and
> multicast issues at L2. All tidy L3 routing. Can use a real
> firewall between L3 VPN instances to get real policy tools (AV, URL
> Filtering, Malware detection, etc) rather than router ACL's. Scales
> to huge sizes because it's all L3 based.
Until people start complaining they can no more auto discover their
Time Capsule left in the other building whereas their colleagues in
the other building can etc etc. All fancy discover protocols breaks
without L2 continuity !
Welcome to the campus network nightmare :)
For now, there is no perfect solution ! either you cope with L2 hell
or users inconvenience (and yes people tend to think that the campus
network is expected to work as their home network)
I've also stumbled upon some "Building Automation and Control
Networks" (BACnet/IP for instance) where each building has some
automats that all needs to be in the same network segment.
> Combine with 802.1x port authentication and NAC, and in theory every
> L3 VPN could be in every building, with each port dynamically assigning
> the VLAN based on the user's login! Imagine never manually configuring
> them again. Write a script that makes all the colleges (20? 40? 60?)
> appear in every building all attached to their own MPLS VPN's, and
> then the NAC handles port assignment.
Here again, it's perfect until you start coping with old stuff, all
fancy new ethernet capable "things" or scientific/industrial
equipments. The "802.1x what ? it's plug'n play man !" attitude.
(my experience is with research institutes/academy kind of campuses)
More information about the NANOG