From: David Prall (dcp@dcptech.com)
Date: Thu May 31 2007 - 14:49:19 ART
The VRF's will keep the 2 defaults isolated. Use the global table for your
typical users and the GRE tunnel source/destination. Use a VRF guest on the
GRE tunnel interface and the guest vlan interface. Now the guests are stuck
in VRF guest, while your users are in the global table.
David
-- http://dcp.dcptech.com> -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On > Behalf Of Guyler, Rik > Sent: Thursday, May 31, 2007 1:35 PM > To: 'Jian Gu'; Tarun Pahuja > Cc: Cisco certification; cisco@groupstudy.com > Subject: RE: OT - Campus Path Isolation - MPLS, VRF-lite, etc. > > Well, I was considering GRE with VRF-lite to avoid running > PBR. I like the simplicity of GRE but needed some way to > push down a second default route just for the guest SSID/VLAN > and couldn't think of another way to do that without using > some form of VRF. > > If you say p2mp GRE is an option as well I'll look into it. > But is there some provision to keep our default routes > isolated from one another? That was really my big need for > the path isolation requirement. > > Rik > > _____ > > From: Jian Gu [mailto:guxiaojian@gmail.com] > Sent: Thursday, May 31, 2007 12:56 PM > To: Tarun Pahuja > Cc: Guyler, Rik; Cisco certification; cisco@groupstudy.com > Subject: Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc. > > > SPAN guest vlan across campus is not scalable, against the general > core-distribution-access rule, and will be a management > nightmare. VRF lite > is not good solution either, because that means you need to > configure VLANs > on each L3 links. > > Not sure why you are considering running GRE with VRF (i.e > vrf forwarding > configured on tunnel interface), you can configure p2mp GRE > tunnels between > (L3) distribution switches and internet gateway, and put guest vlan > interfaces in the same VRF, no need to configure PBR. > > > On 5/31/07, Tarun Pahuja <pahujat@gmail.com > <mailto:pahujat@gmail.com> > > wrote: > > Rik, > Any specific reason you do not want to tie guest-Vlan > to guest SSID, > SPAN that Vlan accross the Campus. Guest-Vlan can be > configured to only have > internet access. Ofcouse, you can go vrf-lite route as many > organizations > are doing it these days. > > Thanks, > Tarun > > > On 5/31/07, Guyler, Rik <rguyler@shp-dayton.org > <mailto:rguyler@shp-dayton.org> > wrote: > > > > I'm looking into turning on guest wireless access across > our campuses and > > looking into the various options for path isolation. We > have a single > > entry > > point to the Internet in our network so some type of > tunneling is what I > > have in mind but I'm not sure which method is the way to go. > > > > I've considered plain GRE tunnels (no VRF) but that would > mean turning on > > PBR, which I really don't want to do. The switches > performing the PBR are > > 6500 w/Sup720 so plenty of horsepower but still, I don't > think it's the > > way > > to go. I've looked into MPLS through the campus and > believe it's a good > > way > > to go as is VRF-lite (non-BGP VRF) but I'm not sure if they > fit. I would > > only want to enable MPLS/VRF on the endpoints of the > tunnels and not the > > devices in between. I believe this will work but not sure. > I would also > > like to hear about any other possible path isolation options if they > > exist. > > > > I would GREATLY appreciate it if somebody could enlighten > me on this > > subject. Any real-world experiences with campus guest > access to share? > > > > Thanks, > > > > Rik > > > > > ______________________________________________________________ > _________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > <http://www.groupstudy.com/list/CCIELab.html> > > ______________________________________________________________ > _________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html > <http://www.groupstudy.com/list/CCIELab.html> > > ______________________________________________________________ > _________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:23 ART