[ednog] Techniques for overlays and walled gardens

John Kristoff jtk at northwestern.edu
Tue Apr 5 17:08:21 EDT 2005

I'm most interested in how other institutions are dealing with
'overlay', but also in some forms known commonly as walled garden

We have a number of applications for separating certain groups of hosts
from other groups of host on our IP network both on a temporary basis
and permanently.  The temporary case is the now somewhat classic walled
garden method a lot of educational institutions are using for hosts that
are inflicted with some type of security problem (e.g. worm, any number
of the IRC-based bots).  On a permanent basis there are a number of
systems that are increasingly using TCP/IP such as those from an
institution's facilities or police departments where you do not need,
nor would you often want them, to be accessible from other systems
(e.g. temperature controls, video surveillance).

In the former case there is the DHCP/DNS switching techniques used by
something like NetReg or in our case Netpass, which switches a port's
VLAN membership to to one that forces all traffic through a set of
boxes.  Scaling Netpass across a campus with a number of routers in
the path and where these networks span many geographic areas scales as
poorly as layer 2 and VLAN trunking scales.

In the latter case, physical separation might often be ideal, but not
always practical nor cost effective.  Even then in some cases a very
small set of outside hosts may need to 'manage' these otherwise private
systems.  Here again, there is potential scaling and management problems
with layer 2 solutions, private addressing, filters and other layer 3

We've also had some discussion about separating classes of users,
such as delineating between faculty, staff and students.  Perhaps
all three of these general scenarios has a common theme?

So we've begun investigating an MPLS deployment for at least the
first two general classes of problems described above.  I don't want
to turn this into a MPLS is [great|evil] thread, I am just interested
what others are doing and how they are doing it.

What have you done or what are you considering doing in these types
of scenarios?


More information about the ednog mailing list