I'll tell you what I implemented for a UBNT network that works rather well.
The AP was set in router mode with DHCP relay enabled up to the core. The CPEs would have a management IP on a VLAN, and the AP was also on this vlan. This spanned sites, and segmented management from customer traffic. The CPEs had a vlan for customer access (wds bridge) and the customer router would go to request DHCP and that request would get pushed up by the AP to the core. We did have to track customer MACs, but it wasn't bad. Client isolation was enabled, which prevented a customer from plugging a router in backwards and causing issues. Each AP was given a DHCP pool in the core that handed out public IPs, so the customer router was directly handed a public IP so there was only one layer of NAT - this helped with voip, gaming issues on xbox, etc. Inbound SSH was blocked on the WAN, as well as inbound NTP / DNS and a few other things. Procera handled the traffic shaping. Worked very well. On Tue, Apr 19, 2016 at 1:30 PM, That One Guy /sarcasm <[email protected]> wrote: > Alot of you guys use VLANs out on there networks for vaious things, I know > some run full L2 networks with VLANS and some isolate APs and whatnot. > Anybody want to share their implementation and justification behind the > design as well as any limitations imposed. > > > We are routed between POPs now for the most part and layer 2 on the entirety > of the customer side. We rely on DHCP with reservations for CPE routers and > static assignments for CPE bridge and infrastructure > > -- > If you only see yourself as part of the team but you don't see your team as > part of yourself you have already failed as part of the team.
