CBRS, Accessing Layer 2 Behind a CPE

During the last few months, I’ve neglected my blog a bit from my trips to WLPC Prague and Mexico, CWNP Certifications, and regulars day job responsibilities. So it’s time to catch up on a few posts that I started. Here are my impressions about Arista Networks at Mobility Field Day 8 with a tie in to CBRS.

I just completed my CWISA certification that focuses on different network types, from MBAN to WLAN to WWAN. My friends over at Celona talk about the concept of a 5GLAN. The CWNP C5S course and exam dig extensively into the concept of running CBRS as a LAN technology and not a WWAN. Cellular technology has been designed to be a WWAN technology and not a LAN technology. My day job CBRS network is not running Celona equipment; so I wanted to explore solutions for any CBRS network. At MFD8 Arista provided one solution to solve this problem that I’ll discuss in a bit.

CBRS Layer 2 Tunnel Problem

Back around April 2021, I started exploring how to provide eduroam on a CPE device with CBRS as the back haul. I have a school district that has a baseball field that they would like to provide eduroam, cameras, and a few other services where running cables can be a challenge. We could use various P2P radios, but the school district is part of our CBRS Pilot. The radios were in place, we just needed to install the CPE as the areas had coverage from CBRS.

The biggest challenge was I didn’t want to lose Layer 2 insights and management access to the devices connected behind the CPE. Another problem I was interested to prevent was a Layer 3 roam for Wifi clients moving from an AP connected to the building to the CBRS back hauled radios. This school site didn’t have the layer 3 roam issue being so far from the school, but other sites we are planning could. The layer 3 roam issue could also happen if I installed multiple Wi-Fi APs connected with CBRS back hauls.

Some of these ideas requires you to “Open your mind!” as Daniel Dib says in this tweet:

During that project, I came up with three main ways of extending a layer 2 wireless network across the CBRS back haul. There are three standards based ways, IPSEC Tunnel, CAPWAP, or VXLAN.

IPSEC Tunnel

IPSEC adds a lot of overhead and setup including potentially additional hardware. A site-to-site IPSEC tunnel would work great if the CPE supports it. Cradlepoint and others do support IPSEC tunnels. Baicell’s CPE that I was using doesn’t support IPSEC.

CAPWAP Tunnel

CAPWAP is an old standard that works very well for providing the layer 2 tunnel. Historically, CAPWAP has been used for connecting a Wi-Fi AP to a central controller to tunnel all traffic for security or management reasons. I originally tested with some old Ruckus r700 APs with a Ruckus ZoneDirector. The tunnel came up easily and didn’t require any additional servers. Only problem is most Wi-Fi vendors are moving to cloud based controllers that cause problems with implementing on-premises drop offs.

This specific school district chose Juniper Mist for their Wi-Fi network. Juniper has a box called the Mist Edge to provide the CAPWAP tunnel drop off. While exploring this project, we did a proof of concept with Juniper. Mist Edge works with a physical appliance or a VM; we tested the physical appliance. It worked great, only problem is the cost of Mist Edge was beyond our budget constraints for the school district, so we returned the Mist Edge appliance. I’ve explored using open source options with Juniper Mist as they say you don’t have to use Mist Edge. The other options have not worked for me.

VXLAN Tunnels – Arista Segmentation and Layer 2 Solution

The third solution is using VXLAN Tunnels.

Our second breakout of Mobility Field Day 8 was presented by Arista Networks.

In preparing my list of questions for Arista at Mobility Field Day 8, VXLAN was at the very top. Arista uses standards based VXLAN for tunneling their APs and Switches for Segmentation. At the end of their presentation they discussed VXLAN and shared this slide:

The green circle specifically mentions VXLAN directly. For them, VXLANs allow you to segment Workload and Applications across the network. Arista’s goal with VXLAN is to replace CAPWAP tunnels and provide a better way to segment their wired and Wi-Fi networks. The cool thing is that you can extend this capability across a Private Cellular network and it provides a Layer 2 network tunnel.

You can setup VXLAN capable switches or APs that are part of your regular infrastructure that drops the VXLAN traffic off on the regular network. No additional hardware or servers are required. Arista Wi-Fi APs or Switches can act as one side of the VXLAN with an Arista or other capable switch acting as the other side. VXLAN is a standard that many vendors are beginning to implement. VXLANs are a standards based technology, but wide support between vendors is still lacking. Hopefully this changes in the future.

Solutions

At the school district, since CAPWAP was too expensive to implement, and our equipment doesn’t support VXLAN or IPSEC, I’ve had to remove the requirement for now. I don’t have insight or access at the Layer 2 level to the switch and cameras behind the CPE at the site. I do have control over the Mist AP because of the management being in the cloud but lose access to any Wi-Fi clients. In the future, I want to continue exploring this concept with VXLANs.

Skip to content