That’s essentially what we do – we have our campus segmented with L3 MPLS VPN’s (wired and wireless), one for staff, one for students and one for visitors. This simplifies firewall exception policies into a centralized management area. We have 8 /22’s on each HA pair for staff that belong to the interface group ‘staff (g)’, and 8 /22’s for student, and again, 8 /22’s for visitors. It might be a bit of overkill (we’re at about 1650 APs and 10000 client devices a day), but I’d rather have to many IPs than not enough. Whether on the branded WiFi or eduroam, our staff/faculty end up in the same VRF, and are students end up in theirs. For visitors, our Visitor WiFi (captive portal, splash page, Acceptable Use Policy), or those that log on to eduroam with credentials, get in the visitor MPLS VRF and those IP ranges.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder Sent: Thursday, September 24, 2015 6:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam in a Cisco environment You can always do an interface group and use the name of the group instead of the vlan ID coming from Cloudpath. Just keep all interfaces in the group the same size. Thanks Jake Snyder jsny...@compunet.biz 208-286-3015 Sent from my iPhone On Sep 24, 2015, at 2:38 PM, Timothy Burns <bu...@unca.edu> wrote: We are just now starting down the eduroam path. We are a Cisco shop and currently have our controllers pointed towards xpressconnect to onboard/authenticate our students. We currently have many interfaces on our controllers per building/SSID. We were thinking of collapsing many of those interfaces and have larger subnets and vlan tag the clients based on access we want to allow using the single "eduroam" ssid. So, for example, our local users will be placed in vlan 1 and eduroam users from different colleges would be placed in vlan 2 with internet only access. We have brought this up to our SE and VAR engineers and they are a little hesitant on this approach as they say the the subnets will be too large. But, as I understand it, the broadcast messages are suppressed at the controller. Xpressconnect only supports 1 vlan tag so we were looking at using free radius and create different realms and vlan tag the clients based on end of the username(ex: @xxxx.edu). We still have ACS at our disposal as we were using it very heavily before using xpressconnect, so we thought it may be an option to bring that back into the picture and use it to tag the clients. The answers I am looking to gain from this are: Do you have eduroam deployed as your primary SSID or in addition to your SSID's? Do you separate/tag your eduraom users? If so, how(acs/ISE/free radius, etc)? How big are your wireless subnets? Any opinions/suggestion/questions are welcome. Thanks again in advance. -- Tim Burns Junior Network Administrator 1 University Heights Asheville, NC 28804 828-232-5013 <mailto:bu...@unca.edu> bu...@unca.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,5604859542972302511535! ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
