This is exactly what we are recommending and building for our customers in that space. Most of the time the university network acts as a provider, so to me it only makes sense to use that type of tech. The biggest problem then is support, which could be something they are unwilling or unable to overcome.
> On Oct 21, 2016, at 1:45 PM, Leo Bicknell <bickn...@ufp.org> wrote: > > In a message written on Fri, Oct 21, 2016 at 12:02:24PM -0500, Javier Solis > wrote: >> In a campus network the challenge becomes extending subnets across your >> core. You may have a college that started in one building with their own >> /24, but now have offices and labs in other buildings. They want to stay on >> the same network, but that's not feasible with the routed core setup >> without some other technology overlay. We end up not being able to extend >> the L2 like we did in the past and today we modify router ACL's to allow >> communications. If you already have hundreds of vlans spanned across the >> network, it's hard to get a campus to migrate to the routed core. I think >> this may be one of Marks challenge, correct me if I'm wrong please. > > FWIW, if I had to solve the "college across buildings with common > access control" problem I would create MPLS L3 VPN's, one subnet > per building (where it is a VLAN inside of a building), with a > "firewall in the cloud" somewhere to get between VLAN's with all > of the policy in one place. > > No risk of the L2 across buildings mess, including broadcast and > multicast issues at L2. All tidy L3 routing. Can use a real > firewall between L3 VPN instances to get real policy tools (AV, URL > Filtering, Malware detection, etc) rather than router ACL's. Scales > to huge sizes because it's all L3 based. > > Combine with 802.1x port authentication and NAC, and in theory every > L3 VPN could be in every building, with each port dynamically assigning > the VLAN based on the user's login! Imagine never manually configuring > them again. Write a script that makes all the colleges (20? 40? 60?) > appear in every building all attached to their own MPLS VPN's, and > then the NAC handles port assignment. > > -- > Leo Bicknell - bickn...@ufp.org > PGP keys at http://www.ufp.org/~bicknell/
