From: David Prall (dcp@dcptech.com)
Date: Thu May 31 2007 - 16:27:01 ART
Key issue with p2mp is that keepalives aren't available so the interface
will be up/up even without connectivity. So you are dependent on the routing
protocol. If you know what routes are missing and know where they belong it
is easy enough to track down. But doing a sh ip int brief, and seeing the
tunnel10 is down, sh run int tunnel10 has a description that says closet X
sure makes it easy to troubleshoot from both ends.
David
-- http://dcp.dcptech.com> -----Original Message----- > From: Jian Gu [mailto:guxiaojian@gmail.com] > Sent: Thursday, May 31, 2007 3:09 PM > To: Guyler, Rik > Cc: David Prall; Tarun Pahuja; Cisco certification; > cisco@groupstudy.com > Subject: Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc. > > Sorry I missed a "NOT" in "Not sure why you are considering > running GRE with VRF (i.e vrf forwarding configured on tunnel > interface)", what I am trying to say is "Not sure why are NOT > considering running GRE with VRF" ... GRE itself won't > isolate traffic without vrf configured. > > As you pointed out, the benefit of using p2mp GRE is that > configuration is much easier on internet gateway router. > > > On 5/31/07, Guyler, Rik < rguyler@shp-dayton.org> wrote: > > Thanks David. That's pretty much what I thought the > best approach was as > well so it's good to have some confirmation. > > My last question was really directed towards Jian Gu as > he seemed against > running VRF on the tunnel interfaces and appeared to > say that p2mp GRE would > somehow do what I needed but couldn't "see" the > mechanism to keep the > routing isolated. I do see the p2mp GRE as a probable > option since it would > eliminate having so many tunnels on the Internet > gateway router but I > believe VRF is still needed. > > -----Original Message----- > From: David Prall [mailto:dcp@dcptech.com] > Sent: Thursday, May 31, 2007 1:49 PM > To: 'Guyler, Rik'; 'Jian Gu'; 'Tarun Pahuja' > Cc: 'Cisco certification'; cisco@groupstudy.com > Subject: RE: OT - Campus Path Isolation - MPLS, VRF-lite, etc. > > The VRF's will keep the 2 defaults isolated. Use the > global table for your > typical users and the GRE tunnel source/destination. > Use a VRF guest on the > GRE tunnel interface and the guest vlan interface. Now > the guests are stuck > in VRF guest, while your users are in the global table. > > David > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > > From: nobody@groupstudy.com > [mailto:nobody@groupstudy.com] On Behalf > > Of Guyler, Rik > > Sent: Thursday, May 31, 2007 1:35 PM > > To: 'Jian Gu'; Tarun Pahuja > > Cc: Cisco certification; cisco@groupstudy.com > > Subject: RE: OT - Campus Path Isolation - MPLS, > VRF-lite, etc. > > > > Well, I was considering GRE with VRF-lite to avoid > running PBR. I > > like the simplicity of GRE but needed some way to > push down a second > > default route just for the guest SSID/VLAN and > couldn't think of > > another way to do that without using some form of VRF. > > > > If you say p2mp GRE is an option as well I'll look into it. > > But is there some provision to keep our default > routes isolated from > > one another? That was really my big need for the > path isolation > > requirement. > > > > Rik > > > > _____ > > > > From: Jian Gu [mailto:guxiaojian@gmail.com ] > > Sent: Thursday, May 31, 2007 12:56 PM > > To: Tarun Pahuja > > Cc: Guyler, Rik; Cisco certification; cisco@groupstudy.com > > Subject: Re: OT - Campus Path Isolation - MPLS, > VRF-lite, etc. > > > > > > SPAN guest vlan across campus is not scalable, > against the general > > core-distribution-access rule, and will be a > management nightmare. VRF > > lite is not good solution either, because that means > you need to > > configure VLANs on each L3 links. > > > > Not sure why you are considering running GRE with VRF (i.e vrf > > forwarding configured on tunnel interface), you can > configure p2mp > > GRE tunnels between > > (L3) distribution switches and internet gateway, and > put guest vlan > > interfaces in the same VRF, no need to configure PBR. > > > > > > On 5/31/07, Tarun Pahuja < pahujat@gmail.com > <mailto:pahujat@gmail.com> <mailto:pahujat@gmail.com> > > > > > wrote: > > > > Rik, > > Any specific reason you do not want to tie > guest-Vlan to guest > > SSID, SPAN that Vlan accross the Campus. Guest-Vlan > can be configured > > to only have internet access. Ofcouse, you can go > vrf-lite route as > > many organizations are doing it these days. > > > > Thanks, > > Tarun > > > > > > On 5/31/07, Guyler, Rik <rguyler@shp-dayton.org > > <mailto:rguyler@shp-dayton.org> > wrote: > > > > > > I'm looking into turning on guest wireless access across > > our campuses and > > > looking into the various options for path isolation. We > > have a single > > > entry > > > point to the Internet in our network so some type of > > tunneling is what I > > > have in mind but I'm not sure which method is the way to go. > > > > > > I've considered plain GRE tunnels (no VRF) but that would > > mean turning on > > > PBR, which I really don't want to do. The switches > > performing the PBR are > > > 6500 w/Sup720 so plenty of horsepower but still, I don't > > think it's the > > > way > > > to go. I've looked into MPLS through the campus and > > believe it's a good > > > way > > > to go as is VRF-lite (non-BGP VRF) but I'm not sure if they > > fit. I would > > > only want to enable MPLS/VRF on the endpoints of the > > tunnels and not the > > > devices in between. I believe this will work but not sure. > > I would also > > > like to hear about any other possible path > isolation options if they > > > exist. > > > > > > I would GREATLY appreciate it if somebody could enlighten > > me on this > > > subject. Any real-world experiences with campus guest > > access to share? > > > > > > Thanks, > > > > > > Rik > > > > > > > > ______________________________________________________________ > > _________ > > > Subscription information may be found at: > > > http://www.groupstudy.com/list/CCIELab.html > > <http://www.groupstudy.com/list/CCIELab.html > > > > > ______________________________________________________________ > > _________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > <http://www.groupstudy.com/list/CCIELab.html> > > > > ______________________________________________________________ > > _________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:23 ART