On Sat, Dec 28, 2013 at 8:09 AM, sten rulz <stenr...@gmail.com> wrote:
> Hello Baldur, > > Your design regarding proxy arp for every VLAN might hit some issues. If > you look at the nanog history you will find people having issues with proxy > arp for large number of VLANs, what is your requirement for proxy arp? > Doing something at the access switch will most likely be better for you > such as PVLAN or Brocade IP follow ve statement. If you are planning to put > clients on the same subnet what are you planning to put in place to limit > client stealing each other’s IPs? Only a few Brocade devices support the > ARP ACLs rules which are a really nice feature, IP Source Guard works > reasonable if using a DHCP server otherwise you need to specify the MAC > address. Some other brand switches support filtering the ARP packets per > access port. > This is a complex question that depends entirely on the capabilities of the equipment I can get. I was considering an OpenFlow solution, where this is easy: I would make rules that would only forward traffic with correct source IP from each VLAN. If the user tries something funny, nothing happens and his traffic is just dropped. But I am bit let down on the capabilities of current OpenFlow switches. Most only support OpenFlow 1.0 which is simply not good enough. That has no IPv6 support, which naturally is a requirement. I know about the HP offerings, but they only support 4k rules in hardware, which is a far cry from being enough. There is NoviFlow who are still working on getting me a quote. If they can give me a competitive price I might still consider OpenFlow. The problem is this: A conventional approach assigns a full IPv4 subnet to each user. This uses a minimum of 4 addresses of each user. I currently have to pay somewhere between $10 and $20 for each address and this will only become more expensive in the future. The users each have a unique VLAN (Q-in-Q). The question is, what do I put on those VLANs, if I do not want to put a full IPv4 subnet on each? My own answer to that is to have the users share a larger subnet, for example I could have a full class C sized subnet shared between 253 users/VLANs. To allow these users to communicate with each other, and so they can communicate with the default gateway IP, I will need proxy arp. And in a non-OpenFlow solution, also the associated security functions such as DHCP-snooping to prevent hijacking of IP addresses. Which devices can solve this task? To me the work seems quite simple. For outbound packets, check that the source IP matches the expected IP on the VLAN, then forward the packet according to the routing table. For inbound packets, lookup the destination IP and find the correct VLAN, then push the VLAN tag on the packet and forward it using the normal MAC lookup. For ARP packets, lookup the destination VLAN from the destination IP, change the VLAN tag and forward the packet. There is no reason a device should not be able to handle a large number of rules such as the above. The NoviSwitch will do it. However it appears that a lot of devices are quite limited in this regard. I could buy a router/switch for every few thousand users and split the work between them. Split the cost on many users, so the extra cost would probably not be prohibitive. This is the do the work at the edge solution, although I would be hosting the equipment in the same rack as the core router. But why fill a rack with equipment, to do simple dummy work, that should be manageable by a single device? Regards, Baldur