[solved] Network architecture (MPLS/VPLS)

Hello! I’m new here, but have been lurking the forums for a couple of weeks now..

I’m new to this kind of stuff in general, I don’t have any hands-on experience with the actual design and implementation of production networks.. I’ve just read a lot of theory over the path handful of months. I’ve set up a couple bench networks using MT routers, but haven’t yet achieved all of my goals listed below. Please bare with me

I’m thinking about how to convert network of about 300 wireless subscribers from a flat bridged to fully routed architecture. Here’s the goals for the end network:
[]Efficient IP address distribution without the use of PPPoE (we’ll be authenticating with MAC and DHCP, managed by Powercode)
[]L2 communication between all customers to allow us to distribute a single public subnet
[]As little broadcast traffic traversing backhaul links as possible
[]All inter-subscriber traffic should go through the core, even if they’re on the same AP

The network is a tree topology, no tower sites have more than a single uplink (though in the future we’d like to leverage OSPF and add some redundant links).

How I went about accomplishing these goals in a test bench network:
Configured OSPF and loopback interfaces and set up MPLS LDP neighbours on all routers. Then created a VPLS tunnel for every PE router at the core, bridged them together, and created the corresponding VPLS tunnel endpoints at each of the PE routers. I added the VPLS tunnels on the PE routers to a bridge with the ethernet interfaces I wanted them bridged with. At this point I had successfully stretched out the LAN across various ports on my PE routers via the VPLS tunnels that were bridged at the core.

I thought that I could set the same horizon value on each of the AP interfaces on a particular PE router, leave the VPLS tunnel with a unique horizon value, and that would force traffic through the tunnel to the core.

For example, Cust_1 on PE_1 wants to talk Cust_2 on PE_1; Cust_1’s port and Cust_2’s port have horizon value 1 and the VPLS tunnel has horizon value 2, these three interfaces are bridged. When Cust_1 talks to Cust_2, their traffic would be forced down the VPLS interface, where the core would say, “Cust_2 is down the same tunnel”, send the traffic back, and it would go to Cust_2.

That simply doesn’t work.. Cust_1 can’t even discover Cust_2’s MAC address because the ARP broadcast only goes down the VPLS tunnel to the core, which doesn’t know what to do with it because the core doesn’t have Cust_2’s IP address.

I haven’t had a chance to experiment with more options, but before I did I wanted to throw out my problem here to see if anyone has some ideas for a network architecture that met goals listed above.

Thank you for any advice offered!

Just wanted to post that I have figured this out, using the equivalent of cisco’s “local proxy arp” feature.

In my original post I mentioned wanting L2 communication between customers. That was wrong, I want L3 (IP) communication to be allowed and all L2 traffic to be blocked from traveling between customers.

I achieved my goals with the same network setup as written above. VPLS tunnels on PE routers going back to the core router; all VPLS tunnels bridged at the core, creating one large LAN. Then, split horizon bridging is used on all AP ports to stop traffic from going from one AP to another at the PE routers, where the AP port is bridged with the VPLS port.

It’s at this stage of the network that all customers would be able to reach the core of the network, but they can’t route to other customers in the same subnet since their broadcast and thus ARP traffic is blocked from going to the intended host.

Creating a bridge-nat rule that responds to all incoming ARP requests at the core fixed that. The core responds to ALL ARP requests on the VPLS LAN with its own MAC address. The host on the VPLS trying to communicate with another host inside the LAN then sends its packet to the core, where the core looks at the IP header, does its own ARP request to find that host, and then sends the packet on its way to the originally intended host.

Works excellently for my needs, I wanted to avoid PPPoE while still having L2 isolation and spreading out my public subnet to multiple sites. This achieves that, and lets me do simple MAC address based DHCP authentication to give people public IP addresses.