MPLS in the campus Network?

Compared to MPLS, a L2 solution with 100 Gb/s interfaces between
core switches and a 10G connection for each buildings looks so much
cheaper. But we worry about future trouble using Trill, SPB, or other
technologies, not only the "open" ones, but specifically the proprietary
ones based on central controller and lots of magic (some colleagues feel
the debug nightmare are garanteed).

If you had to make such a choice recently, did you choose an MPLS design
even at lower speed ?

A year ago we built NREN backbone using TRILL instead of MPLS.
40 POPs, no central controller, RFC standardized TRILL protocol
i.e. L2 routing using IS-IS, no STP.

See my recent presentation at http://md.bts.sk/sanet-100g-2.pdf
for more details.

Much easier to setup, operate & maintain than MPLS and obviously much
lower cost. Based on 6-months production experience, my recommendation
would be to stay away from MPLS in the campus.

  With kind regards,

     M.

I'd be curious to hear what MPLS-specific issues you faced in the 6
months you had to operate such a network.

Been running IP/MPLS Core, Edge and Access networks for over 15 years,
and apart from bugs which affect any protocol or feature implementation,
I can't say it has been a nightmare to operate to the point of not
recommending it.

I have far fewer words to say about STP, although - I'll admit - I've
never run TRILL.

Mark.

Our campus started off with L2 vlans spanning through the core, but we
migrated to routing in the core and moved our many spanning tree/broadcast
domains to the edge of buildings fronted by redundant routing with ecmp to
a redundant core utilizing ospf.

In a campus network the challenge becomes extending subnets across your
core. You may have a college that started in one building with their own
/24, but now have offices and labs in other buildings. They want to stay on
the same network, but that's not feasible with the routed core setup
without some other technology overlay. We end up not being able to extend
the L2 like we did in the past and today we modify router ACL's to allow
communications. If you already have hundreds of vlans spanned across the
network, it's hard to get a campus to migrate to the routed core. I think
this may be one of Marks challenge, correct me if I'm wrong please.

With that said, what are the best options to be able to cost effectively
scale without using vlans and maintaining a routed core? What technology
would someone suggest (mpls, vxlan,etc) to be the best possible solution?

Thank you to the participants in the discussion. I always enjoy reading
comments posted.

-Javier

In a message written on Fri, Oct 21, 2016 at 12:02:24PM -0500, Javier Solis wrote:

In a campus network the challenge becomes extending subnets across your
core. You may have a college that started in one building with their own
/24, but now have offices and labs in other buildings. They want to stay on
the same network, but that's not feasible with the routed core setup
without some other technology overlay. We end up not being able to extend
the L2 like we did in the past and today we modify router ACL's to allow
communications. If you already have hundreds of vlans spanned across the
network, it's hard to get a campus to migrate to the routed core. I think
this may be one of Marks challenge, correct me if I'm wrong please.

FWIW, if I had to solve the "college across buildings with common
access control" problem I would create MPLS L3 VPN's, one subnet
per building (where it is a VLAN inside of a building), with a
"firewall in the cloud" somewhere to get between VLAN's with all
of the policy in one place.

No risk of the L2 across buildings mess, including broadcast and
multicast issues at L2. All tidy L3 routing. Can use a real
firewall between L3 VPN instances to get real policy tools (AV, URL
Filtering, Malware detection, etc) rather than router ACL's. Scales
to huge sizes because it's all L3 based.

Combine with 802.1x port authentication and NAC, and in theory every
L3 VPN could be in every building, with each port dynamically assigning
the VLAN based on the user's login! Imagine never manually configuring
them again. Write a script that makes all the colleges (20? 40? 60?)
appear in every building all attached to their own MPLS VPN's, and
then the NAC handles port assignment.

FWIW, if I had to solve the "college across buildings with common
access control" problem I would create MPLS L3 VPN's, one subnet
per building (where it is a VLAN inside of a building), with a
"firewall in the cloud" somewhere to get between VLAN's with all
of the policy in one place.

No risk of the L2 across buildings mess, including broadcast and
multicast issues at L2. All tidy L3 routing. Can use a real
firewall between L3 VPN instances to get real policy tools (AV, URL
Filtering, Malware detection, etc) rather than router ACL's. Scales
to huge sizes because it's all L3 based.

Until people start complaining they can no more auto discover their
Time Capsule left in the other building whereas their colleagues in
the other building can etc etc. All fancy discover protocols breaks
without L2 continuity !
Welcome to the campus network nightmare
For now, there is no perfect solution ! either you cope with L2 hell
or users inconvenience (and yes people tend to think that the campus
network is expected to work as their home network)

I've also stumbled upon some "Building Automation and Control
Networks" (BACnet/IP for instance) where each building has some
automats that all needs to be in the same network segment.

Combine with 802.1x port authentication and NAC, and in theory every
L3 VPN could be in every building, with each port dynamically assigning
the VLAN based on the user's login! Imagine never manually configuring
them again. Write a script that makes all the colleges (20? 40? 60?)
appear in every building all attached to their own MPLS VPN's, and
then the NAC handles port assignment.

Here again, it's perfect until you start coping with old stuff, all
fancy new ethernet capable "things" or scientific/industrial
equipments. The "802.1x what ? it's plug'n play man !" attitude.

(my experience is with research institutes/academy kind of campuses)

Youssef Ghorbal

On Oct 21, 2016, at 4:18 PM, Youssef Ghorbal <youssef.ghorbal@gmail.com> wrote, in part:

Until people start complaining they can no more auto discover their
Time Capsule left in the other building whereas their colleagues in
the other building can etc etc. All fancy discover protocols breaks
without L2 continuity !

Minor Correction: Correctly configured*, an Airport Extreme basestation (Time Capsule or not) does not require L2 connectivity to discover. In fact, Wide Area is used for discovery of many services not necessarily reachable by L2 connectivity. Apple’s Back to My Mac service is one example.

*Apple’s "Back to My Mac” Wide Area Bonjour is enabled on an Airport basestation by entering appropriate Apple ID and password data in the Base Station tab as accessed by Airport Utility.

James R. Cutler
James.cutler@consultant.com
PGP keys at http://pgp.mit.edu

This is exactly what we are recommending and building for our customers in that space. Most of the time the university network acts as a provider, so to me it only makes sense to use that type of tech. The biggest problem then is support, which could be something they are unwilling or unable to overcome.

IME, MPLS is a good use-case here. If you are going to use the same /24
(or whatever prefix applies to you) across multiple locations, you will
need some kind of overlay. Be it IP-in-IP, GRE, MPLS (l2vpn's or
l3vpn's) or plain old Ethernet, you will need something.

MPLS makes a lot of sense to me. It's native in hardware, upper-layer
agnostic, mature, and reasonably affordable even at low scale. While I
would not say MPLS is simple from a "complexity in your network"
standpoint, it does provide a notable amount of simplicity when you're
looking for an overlay that is transparent to all manner of Layer 2 and
Layer 3 applications that a packet-based network needs to transport.

Mark.

> With that said, what are the best options to be able to cost effectively
> scale without using vlans and maintaining a routed core? What technology
> would someone suggest (mpls, vxlan,etc) to be the best possible solution?
  
IME, MPLS is a good use-case here. If you are going to use the same /24 (or
whatever prefix applies to you) across multiple locations, you will need some
kind of overlay. Be it IP-in-IP, GRE, MPLS (l2vpn's or l3vpn's) or plain old >

Ethernet, you will need something.

MPLS makes a lot of sense to me. It's native in hardware, upper-layer
agnostic, mature, and reasonably affordable even at low scale.

The question here is, whether MPLS is the *optimal* solution for campus needs.

The same functionality could be obviously achived by multiple technologies,
and while MPLS is well supported on high-end SP routers, various limitations
appear when people try to use it on commodity ASICs which typically empower
today's ethernet switches - one of them being e.g. limited ability to
effectively load-balance traffic over multiple parallel links.

Yes, in theory we could build all campus LANs using high-end SP routers, but
when 100GE backbone is desired (which is often the case in EDU/NREN sector),
the costs of such solution jump to unacceptable heights.

Thus we looked for another technology, which doesn't have the usual L2 problems
and is able to provide services we need (including L2 extensions to remote
campuses) at reasonable costs and with enough simplicity.

To avoid typical L2 problems, you clearly need a solution based on L3 routing.
And TRILL is exactly that - although it maintains L2 interface to the outside
world, internally it performs dynamic L3 routing by IS-IS protocol with all
safety belts like TTL check, RPF check etc.

IMHO, TRILL is much better fit for campus needs, since it was specifically
designed for this networking space - and our 6-months production fully confirms
that view (of course, YMMV).

   With kind regards,

       M.

I don't consider the ASR920 or CES2000 to be particularly high-end
routers, but YMMV.

True, merchant silicon presents a number of data plane challenges that
may, at first, seem non-trivial or completely go unnoticed. That is why
we stay away from the ACX5000, for example. I expect improvements to
come with newer-generation ASIC's/NP's, but that tests one's patience.

But, like I said, I have not run TRILL myself, so I'm not going to tell
you that it's not an ideal technology for this use-case. All I'll say is
that MPLS is not limited to high-end platforms, even when custom silicon
is involved.

Mark.