Date: Tue, 6 Jul 2010 18:19:37 -0500 > From: Richard Peasah <[email protected]> > Subject: Dedicated Wireless VRF > > What are your thoughts on placing Wireless traffic in a dedicated VRF > per department or college, etc (in the case of MPLS-based campus > architecture) vs placing the Wireless traffic within the department's or > college's data vlan/vrf? I prefer the dedicated VRF solution because it > provides better traffic isolation, control, monitoring, and > troubleshooting but I want to know what the group thinks. Thanks. > > We're doing this here. For various reasons, we've actually got three VRFs that touch on the wireless.
The "wireless" VRF, which handles our IPv4/IPv6 publically addressed WPA2-Enterprise SSID and our MAC authentication RFC1918 addressed SSID. The "wireless-nat" VRF, which handles our RFC1918 addressed captive portal SSID, which passes through a NAT at the border. The "guest" VRF, which is for all guest applications. The only current one is the guest SSID, but wired guest applications would go in here too. The traffic controls and NAT for the guest wireless occur way before the VRF border, but the VRF serves to put it logically outside the campus internal border. The only cases that actually involve different treatment for the traffic are the "wireless-nat" and "guest" VRFs. But we're in a position to do special stuff more easily if we need to. -- Andrew D. Clark Network Operations Engineer University of Minnesota, Networking/Telecom Services 2218 University Ave SE Minneapolis, MN 55414-3029 Phone: 612-626-4880 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
