RE: OT - Campus Path Isolation - MPLS, VRF-lite, etc.

From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Thu May 31 2007 - 14:34:33 ART

Well, I was considering GRE with VRF-lite to avoid running PBR. I like the
simplicity of GRE but needed some way to push down a second default route
just for the guest SSID/VLAN and couldn't think of another way to do that
without using some form of VRF.
 
If you say p2mp GRE is an option as well I'll look into it. But is there
some provision to keep our default routes isolated from one another? That
was really my big need for the path isolation requirement.
 
Rik

  _____

From: Jian Gu [mailto:guxiaojian@gmail.com]
Sent: Thursday, May 31, 2007 12:56 PM
To: Tarun Pahuja
Cc: Guyler, Rik; Cisco certification; cisco@groupstudy.com
Subject: Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc.

SPAN guest vlan across campus is not scalable, against the general
core-distribution-access rule, and will be a management nightmare. VRF lite
is not good solution either, because that means you need to configure VLANs
on each L3 links.

Not sure why you are considering running GRE with VRF (i.e vrf forwarding
configured on tunnel interface), you can configure p2mp GRE tunnels between
(L3) distribution switches and internet gateway, and put guest vlan
interfaces in the same VRF, no need to configure PBR.

On 5/31/07, Tarun Pahuja <pahujat@gmail.com <mailto:pahujat@gmail.com> >
wrote:

Rik,
        Any specific reason you do not want to tie guest-Vlan to guest SSID,
SPAN that Vlan accross the Campus. Guest-Vlan can be configured to only have
internet access. Ofcouse, you can go vrf-lite route as many organizations
are doing it these days.

Thanks,
Tarun

On 5/31/07, Guyler, Rik <rguyler@shp-dayton.org
<mailto:rguyler@shp-dayton.org> > wrote:
>
> I'm looking into turning on guest wireless access across our campuses and
> looking into the various options for path isolation. We have a single
> entry
> point to the Internet in our network so some type of tunneling is what I
> have in mind but I'm not sure which method is the way to go.
>
> I've considered plain GRE tunnels (no VRF) but that would mean turning on
> PBR, which I really don't want to do. The switches performing the PBR are
> 6500 w/Sup720 so plenty of horsepower but still, I don't think it's the
> way
> to go. I've looked into MPLS through the campus and believe it's a good
> way
> to go as is VRF-lite (non-BGP VRF) but I'm not sure if they fit. I would
> only want to enable MPLS/VRF on the endpoints of the tunnels and not the
> devices in between. I believe this will work but not sure. I would also
> like to hear about any other possible path isolation options if they
> exist.
>
> I would GREATLY appreciate it if somebody could enlighten me on this
> subject. Any real-world experiences with campus guest access to share?
>
> Thanks,
>
> Rik
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
<http://www.groupstudy.com/list/CCIELab.html>

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:23 ART