The management network was on RFC1918 space, no NAT, no outbound route, and BCP38 on the edge.
Oh, OSPF between sites. On Apr 19, 2016 1:40 PM, "Adam Moffett" <[email protected]> wrote: > Yeah I think the biggest appeal to me is the separation of management > traffic. I presume you had a gateway IP on that VLAN somewhere north of > the AP and then a firewall rule that only allowed access to that IP > network/VLAN from within your office. > > > On 4/19/2016 2:36 PM, Josh Reynolds wrote: > >> I'll tell you what I implemented for a UBNT network that works rather >> well. >> >> The AP was set in router mode with DHCP relay enabled up to the core. >> The CPEs would have a management IP on a VLAN, and the AP was also on >> this vlan. This spanned sites, and segmented management from customer >> traffic. >> The CPEs had a vlan for customer access (wds bridge) and the customer >> router would go to request DHCP and that request would get pushed up >> by the AP to the core. We did have to track customer MACs, but it >> wasn't bad. >> >> Client isolation was enabled, which prevented a customer from plugging >> a router in backwards and causing issues. >> >> Each AP was given a DHCP pool in the core that handed out public IPs, >> so the customer router was directly handed a public IP so there was >> only one layer of NAT - this helped with voip, gaming issues on xbox, >> etc. >> >> Inbound SSH was blocked on the WAN, as well as inbound NTP / DNS and a >> few other things. >> >> Procera handled the traffic shaping. >> >> Worked very well. >> >> On Tue, Apr 19, 2016 at 1:30 PM, That One Guy /sarcasm >> <[email protected]> wrote: >> >>> Alot of you guys use VLANs out on there networks for vaious things, I >>> know >>> some run full L2 networks with VLANS and some isolate APs and whatnot. >>> Anybody want to share their implementation and justification behind the >>> design as well as any limitations imposed. >>> >>> >>> We are routed between POPs now for the most part and layer 2 on the >>> entirety >>> of the customer side. We rely on DHCP with reservations for CPE routers >>> and >>> static assignments for CPE bridge and infrastructure >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team >>> as >>> part of yourself you have already failed as part of the team. >>> >> >
