Re: MPLS in the campus Network?

[Leo Bicknell <bicknell () ufp org>]

In a message written on Fri, Oct 21, 2016 at 12:02:24PM -0500, Javier Solis wrote:
> In a campus network the challenge becomes extending subnets across your
> core. You may have a college that started in one building with their own
> /24, but now have offices and labs in other buildings. They want to stay on
> the same network, but that's not feasible with the routed core setup
> without some other technology overlay. We end up not being able to extend
> the L2 like we did in the past and today we modify router ACL's to allow
> communications. If you already have hundreds of vlans spanned across the
> network, it's hard to get a campus to migrate to the routed core. I think
> this may be one of Marks challenge, correct me if I'm wrong please.

FWIW, if I had to solve the "college across buildings with common
access control" problem I would create MPLS L3 VPN's, one subnet
per building (where it is a VLAN inside of a building), with a
"firewall in the cloud" somewhere to get between VLAN's with all
of the policy in one place.

No risk of the L2 across buildings mess, including broadcast and
multicast issues at L2.  All tidy L3 routing.  Can use a real
firewall between L3 VPN instances to get real policy tools (AV, URL
Filtering, Malware detection, etc) rather than router ACL's.  Scales
to huge sizes because it's all L3 based.

Combine with 802.1x port authentication and NAC, and in theory every
L3 VPN could be in every building, with each port dynamically assigning
the VLAN based on the user's login!  Imagine never manually configuring
them again.  Write a script that makes all the colleges (20? 40? 60?)
appear in every building all attached to their own MPLS VPN's, and
then the NAC handles port assignment.

-- 
Leo Bicknell - bicknell () ufp org
PGP keys at http://www.ufp.org/~bicknell/

Attachment: _bin
Description: