The VRF's will keep the 2 defaults isolated. Use the global
table for your
typical users and the GRE tunnel source/destination. Use a
VRF guest on the
GRE tunnel interface and the guest vlan interface. Now the
guests are stuck
in VRF guest, while your users are in the global table.
David
--
http://dcp.dcptech.com
> -----Original Message-----
> From: nobody groupstudy.com [mailto:nobodygroupstudy.com] On
> Behalf Of Guyler, Rik
> Sent: Thursday, May 31, 2007 1:35 PM
> To: 'Jian Gu'; Tarun Pahuja
> Cc: Cisco certification; ciscogroupstudy.com
> Subject: RE: OT - Campus Path Isolation - MPLS,
VRF-lite, etc.
>
> Well, I was considering GRE with VRF-lite to avoid
running
> PBR. I like the simplicity of GRE but needed some way
to
> push down a second default route just for the guest
SSID/VLAN
> and couldn't think of another way to do that without
using
> some form of VRF.
>
> If you say p2mp GRE is an option as well I'll look into
it.
> But is there some provision to keep our default routes
> isolated from one another? That was really my big need
for
> the path isolation requirement.
>
> Rik
>
> _____
>
> From: Jian Gu [mailto:guxiaojiangmail.com]
> Sent: Thursday, May 31, 2007 12:56 PM
> To: Tarun Pahuja
> Cc: Guyler, Rik; Cisco certification; ciscogroupstudy.com
> Subject: Re: OT - Campus Path Isolation - MPLS,
VRF-lite, etc.
>
>
> SPAN guest vlan across campus is not scalable, against
the general
> core-distribution-access rule, and will be a management
> nightmare. VRF lite
> is not good solution either, because that means you
need to
> configure VLANs
> on each L3 links.
>
> Not sure why you are considering running GRE with VRF
(i.e
> vrf forwarding
> configured on tunnel interface), you can configure
p2mp GRE
> tunnels between
> (L3) distribution switches and internet gateway, and
put guest vlan
> interfaces in the same VRF, no need to configure PBR.
>
>
> On 5/31/07, Tarun Pahuja >
> wrote:
>
> Rik,
> Any specific reason you do not want to tie
guest-Vlan
> to guest SSID,
> SPAN that Vlan accross the Campus. Guest-Vlan can be
> configured to only have
> internet access. Ofcouse, you can go vrf-lite route as
many
> organizations
> are doing it these days.
>
> Thanks,
> Tarun
>
>
> On 5/31/07, Guyler, Rik > wrote:
> >
> > I'm looking into turning on guest wireless access
across
> our campuses and
> > looking into the various options for path
isolation. We
> have a single
> > entry
> > point to the Internet in our network so some type
of
> tunneling is what I
> > have in mind but I'm not sure which method is the
way to go.
> >
> > I've considered plain GRE tunnels (no VRF) but
that would
> mean turning on
> > PBR, which I really don't want to do. The
switches
> performing the PBR are
> > 6500 w/Sup720 so plenty of horsepower but still, I
don't
> think it's the
> > way
> > to go. I've looked into MPLS through the campus
and
> believe it's a good
> > way
> > to go as is VRF-lite (non-BGP VRF) but I'm not
sure if they
> fit. I would
> > only want to enable MPLS/VRF on the endpoints of
the
> tunnels and not the
> > devices in between. I believe this will work but
not sure.
> I would also
> > like to hear about any other possible path
isolation options if they
> > exist.
> >
> > I would GREATLY appreciate it if somebody could
enlighten
> me on this
> > subject. Any real-world experiences with campus
guest
> access to share?
> >
> > Thanks,
> >
> > Rik
> >
> >
>
____________________________________________________________
__
> _________
> > Subscription information may be found at:
> > http://ww
w.groupstudy.com/list/CCIELab.html
>
>
>
____________________________________________________________
__
> _________
> Subscription information may be found at:
> http://ww
w.groupstudy.com/list/CCIELab.html
>
>
>
____________________________________________________________
__
> _________
> Subscription information may be found at:
> http://ww
w.groupstudy.com/list/CCIELab.html
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7
&i=121921&t=121921
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.
groupstudy.com/list/cisco.html
|
