Design options for connecting isolated networks between metro sites?

Unanswered Question

I have the following situation:

* business Head Office (HO) and primary Data Centre (DC) are separated by ~5 km, "core" Cat6ks in each site, connected via 10 Gb/s fibre (utilisation under 5%)

* Internet connectivity is via an ASA at the DC

* HO has a Cisco wireless network, all wireless infrastructure (APs and WISMs) located at HO

* each site has separate address space

The business needs wireless guest internet access; the guest wireless is to be directly connected to the Internet (via NAPT). The guest access network must be completely isolated from the rest of the business ("completely" = layer 2 and above).

The question is thus: how best to connect a network segment in one location (guest wireless at the HO) to a network segment in another (the Internet link at the DC) whilst maintaining complete separation from the rest of the network?

I believe there are the following possible general solutions:

1. convert the existing L3 link HO-DC link to a trunk and simply carry the wireless VLAN over; requires the existing L3 /30 network to be moved to a new "point to point" VLAN (ptp=pruned from all other trunks)

2. use a tunnel to carry the guest VLAN over to the DC via the existing unmodified L3 link

and a solution peculiar to wireless guest access:

3. purchase an additional WLAN Controller for guest access and locate it at the DC (if I understand the wireless guest access stuff correctly, the HO WLCs can tunnel the guest SSID traffic over L3 to a dedicated "guest anchor" WLC in the DC; the guest WLC can then be connected directly to the ASA).

(and for completeness:0. a physically separate network; this is not feasible; 4. a multitude of non-Cisco-supported solutions e.g. EoIP, tun, ...)

Of course there are pros and cons for each approach:

1. trunk

pros: comparatively easy to provision

cons: some people might shudder at a VLAN that spans buildings 5 km apart; requires attention to pruning to avoid VLANs leaking between sites; increases complexity of the existing HO-DC connection (was simple routed port, now a VLAN on a trunk); no redundancy (we have alternate L3 paths between HO and DC); HO address space shows up on ASA interface in the DC (looks messy), or vice-versa

2. tunnel

pros: no modifications to existing link required; takes advantage of L3 redundancy

cons: more config; (would need a L2TP tunnel; is there any other way in IOS of bridging two distant LAN segments? Alternately use plain GRE but will need VRFs at each end to ensure L3 segregation)

3. Guest Anchor WCS

pros: as 2., but "off the shelf" (right?)

cons: $

Clearly Cisco have considered this issue and hence the Guest Anchor feature; however I have very similar requirements coming up for other non-wireless projects.

Thanks in advance for any constructive comments.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
drolemc Fri, 10/10/2008 - 12:01
User Badges:
  • Silver, 250 points or more

Yes it works fine.

Based on the number of users in the branch, three design models can be used, each of which offers a certain amount of scalability. The choice of models is affected by requirements such as high availability, because some of the interfaces on the edge router do not support EtherChannels. If a server farm must be supported in the branch, the design must support the required port density to connect the small server farms and to meet the additional DMZ requirements. High, and advanced services add to the cost of the infrastructure. Layer 2 and Layer 3 switches do provide some alternatives to which software images can be used to keep the cost low while still providing high availability and scalability. Also, the infrastructure can be reused to migrate to advanced services if required without having to redesign.

For further information click this link.


This Discussion