which tunnel after eoip ?

rodolfo · August 24, 2010, 4:46pm

Hi all.
In my routed (ospf) network I use an eoip tunnel from each Access Point to a single pppoe-server.
This allow:

the traffic is not sniffable in backbone
my users cannot see my backbone routerboards.
I use pppoe-server and a radius to authenticate users

It works well but there are limits:

the eoip cannot use multiple routes in parallel from AP to pppoe-server
I cannot apply qos (i.e. using mpls) in intermediate routers

Does it exists a tunnel from Access Point to a concentrator giving the following possibilities:

use qos in the backbone
transport a kind of pptp tunnel from each user to a concentrator (but this is compatible with traffic engineering?)
using multiple routes in parallel

Thanks in advice for any hint.

magnavox · August 26, 2010, 11:01am

VPLS tunnels?

rodolfo · August 27, 2010, 6:13am

Thanks for your reply.
In VPLS tunnel, if I use pppoe, is it possibile to mangle packets ?

Muqatil · August 27, 2010, 9:24am

Hi Rodolfo,
I had similar setup a while ago, and i had your same requests..
I gave up with tunnels and set the PPPoE Servers on each AP and routed via OSPF to my gateways.
While it looks less secure:

The traffic is hardly sniffable cause i use nstreme (and soon nv2) on all my links, and there’s no nstreme tools to sniff aether traffic yet;
my backbone routerboards are hidden by the traceroute ttl trick (it only works for customers, i can still use traceroute on my network, and the access to internal IPs is locked
i use PPPoE on every AP and RADIUS centralized server (the RADIUS assigns public IPs dynamically)
I can use all the features of a routed network (Load balancing, QoS, redundancy)
I removed the eoip header from the traffic, allowing more throughput..

Good thing, it can be done smoothly, without too much downtime for the customers.. (Just a reboot on some APs)

rodolfo · August 28, 2010, 7:48am

thanks Renato.
without any tunnel from AP to gateway, all the traffic is sniffable from ethernets of backbone’s routers: did you plan to build vpls tunnels to avoid this?

if you have two gateways, how do you use them in load balancing (at user level) and in failover ?

thanks.

Rodolfo

Muqatil · August 28, 2010, 8:38am

If you have someone that have access to the ethernets of your routers, i think this might be a bigger issue to solve..
anyway the vpls tunnels in ethernet links might do the trick.
I’ve two gateways (BGP Peers) and the load balancing is done, not easly though..
Inbound traffic is balanced with more specific routes (/24) over bigger routes (/22) annunce
Radius Assigns specific ip ranges to APs (while it’s enabled to assign other IPs too)
Outbound traffic is balanced with OSPF
Everything is dynamic and failover enabled