To much MAC addresses on an leased line



  • Hi there,

    I work for the Atlas College in the Netherlands. It's an organization consisting of 5 separate locations/schools. We have an WAN connecting all the schools. The WAN connections are leased lines from an ISP (Ziggo). And we have run into a problem with the ISP. As it turns out they only allow a certain amount of MAC addresses to go over the connection at a certain time. In the product description they mention a max of 100 addresses which they doubled for us to 200.

    A school network consist of several broadcast networks most important:

    • the LAN in which we connect all the schools pc's printers and such
    • the guest LANs which is available for student to connect their devices like smart phones, laptops and such.

    I have included a (principal) network diagram to clarify.

    In a location LAN there are like 200-250 devices. The guest network is a /24 network without any free leases. So you can imagine we have problems… we have seen one half of a classroom receiving a DHCP lease while the other half is not able to connect. And more of such.

    A solution we have came up with is tunneling the traffic which goes over the leased line. In which case the ISP will only see the MAC addresses of the tunnel interfaces. But the problem I see is that the broadcast network are not localized to the physical location. Every network has at least one interface in our central location: the gateway And most of them have interfaces for monitoring purposes in de central location.

    So how would you guys go about solving this issue? Is a tunnel the way to go? I'm at a loss at the moment :S

    regards

    Peter Kaagman / Atlas College

    ![Atlas network in principal.png](/public/imported_attachments/1/Atlas network in principal.png)
    ![Atlas network in principal.png_thumb](/public/imported_attachments/1/Atlas network in principal.png_thumb)
    ![Atlas network in principal.png](/public/imported_attachments/1/Atlas network in principal.png)
    ![Atlas network in principal.png_thumb](/public/imported_attachments/1/Atlas network in principal.png_thumb)



  • You should really have a router at each side of the leased line, that's the typical deployment for such cases (and why them having a MAC limit is almost never an issue, almost nobody does what you're doing there). Then you only have two MAC addresses on the link, one of each router. The devices at each remote location will have to have their default gateway changed to the router's local IP, and each location will have to have its own IP subnet. The remote routers will all point their default gateway back to the central location's router.

    There are other benefits to splitting up the broadcast domains like that, for security reasons for one (something like a host infected with ARP poisioning malware, or a malicious user trying to do something at layer 2, will be isolated to that broadcast domain), and performance and avoidance of problems as another (someone accidentally creates a layer 2 loop as your network currently is, and the whole network melts down, and you're going to have a much harder time finding the problem. Split up the broadcast domains and it will only impact that one location).



  • Ke… thanks.. the awnser I was afraid for... ;)



  • Owke….. having the subnet localized to physical location is a good idea. This means moving the subnet gateways to the other side of the line. Means I have to place routers on each side but this can be done. By using pfSense for that I can even do that with a reasonable budget... which is important for a school ;)

    But it does leave me with a problem:
    The monitor system I placed on my sketch is just that. A honeypot and management server which has interfaces in all subnets. The people who made the system (http://quarantainenet.nl) do have a solution for a distributed access layer (as they call it) but it involves proxy DHCP, proxy ARP and policy based routing. Of which I have only used proxy DHCP in the past.

    If I understand correctly:
    It would involve a psSense box which would not need to do NAT, the WAN should remain routeable. Policy based routing is making routing decisions based on firewall rules. And proxy ARP is a sort of virtual interface in a pfSense box.

    At the moment I do not have a clear picture of the network and settings I will have to make. Come monday I will start making a lab for it and learn while I go allong. Hope I can trouble you guys with some questions ;)

    Peter



  • The guest network is a /24

    Use a class B…   or something like 172.16.25.0/23  to get a larger subnet.

    Are your leased lines point to point or can they be configured as a "wagon wheel"?  Cloud?

    wagon wheel your honeypot could just be added to a spoke...



  • Its a point to point line…

    With a wagon wheel you mean:

    honeypot like /23 covering the guest subnets
    separate guest subnets /24


Locked