Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc.

From: Tarun Pahuja (pahujat@gmail.com)
Date: Thu May 31 2007 - 15:35:12 ART

• Next message: Gary Duncanson: "Re: Sorry I mistyped. It is 17901"
• Previous message: Guyler, Rik: "RE: OT - Campus Path Isolation - MPLS, VRF-lite, etc."
• Maybe in reply to: Guyler, Rik: "OT - Campus Path Isolation - MPLS, VRF-lite, etc."
• Next in thread: Jian Gu: "Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rik,
       If you do decide to go the vrf-lite route, please take a moment to
look at the following link.

http://cisco.com/en/US/products/ps6604/products_white_paper09186a00801281f1.shtml

Thanks,
Tarun

On 5/31/07, David Prall <dcp@dcptech.com> wrote:
>
> The VRF's will keep the 2 defaults isolated. Use the global table for your
> typical users and the GRE tunnel source/destination. Use a VRF guest on
> the
> GRE tunnel interface and the guest vlan interface. Now the guests are
> stuck
> in VRF guest, while your users are in the global table.
>
> David
>
> --
> http://dcp.dcptech.com
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of Guyler, Rik
> > Sent: Thursday, May 31, 2007 1:35 PM
> > To: 'Jian Gu'; Tarun Pahuja
> > Cc: Cisco certification; cisco@groupstudy.com
> > Subject: RE: OT - Campus Path Isolation - MPLS, VRF-lite, etc.
> >
> > Well, I was considering GRE with VRF-lite to avoid running
> > PBR. I like the simplicity of GRE but needed some way to
> > push down a second default route just for the guest SSID/VLAN
> > and couldn't think of another way to do that without using
> > some form of VRF.
> >
> > If you say p2mp GRE is an option as well I'll look into it.
> > But is there some provision to keep our default routes
> > isolated from one another? That was really my big need for
> > the path isolation requirement.
> >
> > Rik
> >
> > _____
> >
> > From: Jian Gu [mailto:guxiaojian@gmail.com]
> > Sent: Thursday, May 31, 2007 12:56 PM
> > To: Tarun Pahuja
> > Cc: Guyler, Rik; Cisco certification; cisco@groupstudy.com
> > Subject: Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc.
> >
> >
> > SPAN guest vlan across campus is not scalable, against the general
> > core-distribution-access rule, and will be a management
> > nightmare. VRF lite
> > is not good solution either, because that means you need to
> > configure VLANs
> > on each L3 links.
> >
> > Not sure why you are considering running GRE with VRF (i.e
> > vrf forwarding
> > configured on tunnel interface), you can configure p2mp GRE
> > tunnels between
> > (L3) distribution switches and internet gateway, and put guest vlan
> > interfaces in the same VRF, no need to configure PBR.
> >
> >
> > On 5/31/07, Tarun Pahuja < pahujat@gmail.com
> > <mailto:pahujat@gmail.com> >
> > wrote:
> >
> > Rik,
> > Any specific reason you do not want to tie guest-Vlan
> > to guest SSID,
> > SPAN that Vlan accross the Campus. Guest-Vlan can be
> > configured to only have
> > internet access. Ofcouse, you can go vrf-lite route as many
> > organizations
> > are doing it these days.
> >
> > Thanks,
> > Tarun
> >
> >
> > On 5/31/07, Guyler, Rik <rguyler@shp-dayton.org
> > <mailto:rguyler@shp-dayton.org > > wrote:
> > >
> > > I'm looking into turning on guest wireless access across
> > our campuses and
> > > looking into the various options for path isolation. We
> > have a single
> > > entry
> > > point to the Internet in our network so some type of
> > tunneling is what I
> > > have in mind but I'm not sure which method is the way to go.
> > >
> > > I've considered plain GRE tunnels (no VRF) but that would
> > mean turning on
> > > PBR, which I really don't want to do. The switches
> > performing the PBR are
> > > 6500 w/Sup720 so plenty of horsepower but still, I don't
> > think it's the
> > > way
> > > to go. I've looked into MPLS through the campus and
> > believe it's a good
> > > way
> > > to go as is VRF-lite (non-BGP VRF) but I'm not sure if they
> > fit. I would
> > > only want to enable MPLS/VRF on the endpoints of the
> > tunnels and not the
> > > devices in between. I believe this will work but not sure.
> > I would also
> > > like to hear about any other possible path isolation options if they
> > > exist.
> > >
> > > I would GREATLY appreciate it if somebody could enlighten
> > me on this
> > > subject. Any real-world experiences with campus guest
> > access to share?
> > >
> > > Thanks,
> > >
> > > Rik
> > >
> > >
> > ______________________________________________________________
> > _________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > <http://www.groupstudy.com/list/CCIELab.html >
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > <http://www.groupstudy.com/list/CCIELab.html>
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Gary Duncanson: "Re: Sorry I mistyped. It is 17901"
• Previous message: Guyler, Rik: "RE: OT - Campus Path Isolation - MPLS, VRF-lite, etc."
• Maybe in reply to: Guyler, Rik: "OT - Campus Path Isolation - MPLS, VRF-lite, etc."
• Next in thread: Jian Gu: "Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:23 ART