MPLS in the campus Network?
davidbass570 at gmail.com
Fri Oct 21 21:51:28 UTC 2016
This is exactly what we are recommending and building for our customers in that space. Most of the time the university network acts as a provider, so to me it only makes sense to use that type of tech. The biggest problem then is support, which could be something they are unwilling or unable to overcome.
> On Oct 21, 2016, at 1:45 PM, Leo Bicknell <bicknell at ufp.org> wrote:
> In a message written on Fri, Oct 21, 2016 at 12:02:24PM -0500, Javier Solis wrote:
>> In a campus network the challenge becomes extending subnets across your
>> core. You may have a college that started in one building with their own
>> /24, but now have offices and labs in other buildings. They want to stay on
>> the same network, but that's not feasible with the routed core setup
>> without some other technology overlay. We end up not being able to extend
>> the L2 like we did in the past and today we modify router ACL's to allow
>> communications. If you already have hundreds of vlans spanned across the
>> network, it's hard to get a campus to migrate to the routed core. I think
>> this may be one of Marks challenge, correct me if I'm wrong please.
> FWIW, if I had to solve the "college across buildings with common
> access control" problem I would create MPLS L3 VPN's, one subnet
> per building (where it is a VLAN inside of a building), with a
> "firewall in the cloud" somewhere to get between VLAN's with all
> of the policy in one place.
> No risk of the L2 across buildings mess, including broadcast and
> multicast issues at L2. All tidy L3 routing. Can use a real
> firewall between L3 VPN instances to get real policy tools (AV, URL
> Filtering, Malware detection, etc) rather than router ACL's. Scales
> to huge sizes because it's all L3 based.
> Combine with 802.1x port authentication and NAC, and in theory every
> L3 VPN could be in every building, with each port dynamically assigning
> the VLAN based on the user's login! Imagine never manually configuring
> them again. Write a script that makes all the colleges (20? 40? 60?)
> appear in every building all attached to their own MPLS VPN's, and
> then the NAC handles port assignment.
> Leo Bicknell - bicknell at ufp.org
> PGP keys at http://www.ufp.org/~bicknell/
More information about the NANOG