Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc.

From: Jian Gu (guxiaojian@gmail.com)
Date: Thu May 31 2007 - 16:32:23 ART

• Next message: Cecil Wilson: "RE: Sorry I mistyped. It is 17901"
• Previous message: andres_ccie@hotmail.com: "Multicast issue-AUTO-RP Pim sparse-dense"
• Maybe in reply to: Guyler, Rik: "OT - Campus Path Isolation - MPLS, VRF-lite, etc."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Couple of caveates with mGRE, not all platforms support it, even a platform
supports it, it is mostly likely that traffic won't be hardware forwarded,
and you need to run NHRP.

But overall, it should just work.

On 5/31/07, Guyler, Rik <rguyler@shp-dayton.org> wrote:
>
> Okay, that makes more sense! Thought I was missing something there...
> ;-)
>
> Thanks to everybody for their input. I think GRE with VRF-lite sounds
> like the way to go so we'll head into that direction with this.
>
> Rik
>
> ------------------------------
> *From:* Jian Gu [mailto:guxiaojian@gmail.com]
> *Sent:* Thursday, May 31, 2007 3:09 PM
> *To:* Guyler, Rik
> *Cc:* David Prall; Tarun Pahuja; Cisco certification; cisco@groupstudy.com
> *Subject:* Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc.
>
> Sorry I missed a "NOT" in "Not sure why you are considering running GRE
> with VRF (i.e vrf forwarding configured on tunnel interface)", what I am
> trying to say is "Not sure why are NOT considering running GRE with VRF" ...
> GRE itself won't isolate traffic without vrf configured.
>
> As you pointed out, the benefit of using p2mp GRE is that configuration is
> much easier on internet gateway router.
>
> On 5/31/07, Guyler, Rik < rguyler@shp-dayton.org> wrote:
>
> > Thanks David. That's pretty much what I thought the best approach was
> > as
> > well so it's good to have some confirmation.
> >
> > My last question was really directed towards Jian Gu as he seemed
> > against
> > running VRF on the tunnel interfaces and appeared to say that p2mp GRE
> > would
> > somehow do what I needed but couldn't "see" the mechanism to keep the
> > routing isolated. I do see the p2mp GRE as a probable option since it
> > would
> > eliminate having so many tunnels on the Internet gateway router but I
> > believe VRF is still needed.
> >
> > -----Original Message-----
> > From: David Prall [mailto:dcp@dcptech.com]
> > Sent: Thursday, May 31, 2007 1:49 PM
> > To: 'Guyler, Rik'; 'Jian Gu'; 'Tarun Pahuja'
> > Cc: 'Cisco certification'; cisco@groupstudy.com
> > Subject: RE: OT - Campus Path Isolation - MPLS, VRF-lite, etc.
> >
> > The VRF's will keep the 2 defaults isolated. Use the global table for
> > your
> > typical users and the GRE tunnel source/destination. Use a VRF guest on
> > the
> > GRE tunnel interface and the guest vlan interface. Now the guests are
> > stuck
> > in VRF guest, while your users are in the global table.
> >
> > David
> >
> > --
> > http://dcp.dcptech.com
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > > Of Guyler, Rik
> > > Sent: Thursday, May 31, 2007 1:35 PM
> > > To: 'Jian Gu'; Tarun Pahuja
> > > Cc: Cisco certification; cisco@groupstudy.com
> > > Subject: RE: OT - Campus Path Isolation - MPLS, VRF-lite, etc.
> > >
> > > Well, I was considering GRE with VRF-lite to avoid running PBR. I
> > > like the simplicity of GRE but needed some way to push down a second
> > > default route just for the guest SSID/VLAN and couldn't think of
> > > another way to do that without using some form of VRF.
> > >
> > > If you say p2mp GRE is an option as well I'll look into it.
> > > But is there some provision to keep our default routes isolated from
> > > one another? That was really my big need for the path isolation
> > > requirement.
> > >
> > > Rik
> > >
> > > _____
> > >
> > > From: Jian Gu [mailto:guxiaojian@gmail.com ]
> > > Sent: Thursday, May 31, 2007 12:56 PM
> > > To: Tarun Pahuja
> > > Cc: Guyler, Rik; Cisco certification; cisco@groupstudy.com
> > > Subject: Re: OT - Campus Path Isolation - MPLS, VRF-lite, etc.
> > >
> > >
> > > SPAN guest vlan across campus is not scalable, against the general
> > > core-distribution-access rule, and will be a management nightmare. VRF
> > > lite is not good solution either, because that means you need to
> > > configure VLANs on each L3 links.
> > >
> > > Not sure why you are considering running GRE with VRF (i.e vrf
> > > forwarding configured on tunnel interface), you can configure p2mp
> > > GRE tunnels between
> > > (L3) distribution switches and internet gateway, and put guest vlan
> > > interfaces in the same VRF, no need to configure PBR.
> > >
> > >
> > > On 5/31/07, Tarun Pahuja < pahujat@gmail.com <mailto:pahujat@gmail.com
> > >
> > > >
> > > wrote:
> > >
> > > Rik,
> > > Any specific reason you do not want to tie guest-Vlan to guest
> >
> > > SSID, SPAN that Vlan accross the Campus. Guest-Vlan can be configured
> > > to only have internet access. Ofcouse, you can go vrf-lite route as
> > > many organizations are doing it these days.
> > >
> > > Thanks,
> > > Tarun
> > >
> > >
> > > On 5/31/07, Guyler, Rik <rguyler@shp-dayton.org
> > > <mailto:rguyler@shp-dayton.org> > wrote:
> > > >
> > > > I'm looking into turning on guest wireless access across
> > > our campuses and
> > > > looking into the various options for path isolation. We
> > > have a single
> > > > entry
> > > > point to the Internet in our network so some type of
> > > tunneling is what I
> > > > have in mind but I'm not sure which method is the way to go.
> > > >
> > > > I've considered plain GRE tunnels (no VRF) but that would
> > > mean turning on
> > > > PBR, which I really don't want to do. The switches
> > > performing the PBR are
> > > > 6500 w/Sup720 so plenty of horsepower but still, I don't
> > > think it's the
> > > > way
> > > > to go. I've looked into MPLS through the campus and
> > > believe it's a good
> > > > way
> > > > to go as is VRF-lite (non-BGP VRF) but I'm not sure if they
> > > fit. I would
> > > > only want to enable MPLS/VRF on the endpoints of the
> > > tunnels and not the
> > > > devices in between. I believe this will work but not sure.
> > > I would also
> > > > like to hear about any other possible path isolation options if they
> >
> > > > exist.
> > > >
> > > > I would GREATLY appreciate it if somebody could enlighten
> > > me on this
> > > > subject. Any real-world experiences with campus guest
> > > access to share?
> > > >
> > > > Thanks,
> > > >
> > > > Rik
> > > >
> > > >
> > > ______________________________________________________________
> > > _________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > <http://www.groupstudy.com/list/CCIELab.html >
> > >
> > > ______________________________________________________________
> > > _________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > > <http://www.groupstudy.com/list/CCIELab.html>
> > >
> > > ______________________________________________________________
> > > _________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html

• Next message: Cecil Wilson: "RE: Sorry I mistyped. It is 17901"
• Previous message: andres_ccie@hotmail.com: "Multicast issue-AUTO-RP Pim sparse-dense"
• Maybe in reply to: Guyler, Rik: "OT - Campus Path Isolation - MPLS, VRF-lite, etc."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:23 ART