An Internet service provider (ISP) provides network connectivity based on the needs of the clients. For a shared property, such as a multiple dwelling unit (MDU), an office building or a hotel with N units, common ISP deployments include the single demarc approach, distributed demarc approach, and the specific configuration approach. However, these approaches are often too restrictive, too unsecure, or too resource intensive for every situation.
The single demarc approach is when the ISP deploys a single, unified infrastructure to provide connectivity to the entire shared property. A single ISP demarc is present at a central location on the property. All of the units share the distribution infrastructure below the demarc to gain access to the Internet. This approach is most commonly found in hotels. Uplink media conversion is present at a central location on the property. A single, shared gateway is deployed south of the demarc and media conversion. Ethernet is then used to bring connectivity to the various parts of the property. Wireless access points are usually a part of the access infrastructure and often share the wired Ethernet distribution.
The single demarc usually means that provisioning a unit is relatively easy. This is because the distribution infrastructure remains static despite the subscription rollover. This ease of deployment comes with a price. Most shared distribution infrastructures allow every device to see every other devices' unsecure traffic by default. Alternatively some kind of link layer security can be enabled in an attempt to provide individual device isolation. The latter tends to prevent obvious forms of cross device communication (e.g., prevents network printing) but usually fails to address serious issues such as traffic sniffing. Furthermore per-device link level isolation mechanisms will disable Apple mDNS, Microsoft LLMNR and other such mechanisms. Enterprise, corporate and campus networks often use VLANs to deploy multiple layer 2 (L2) separated networks using a single physical Ethernet infrastructure. The networks are usually assigned to organizational groups (e.g., engineering, accounting, operations, etc.). VLANs can be applied to the single demarc approach for ISP deployments in MDUs, office buildings and hotels on a per-unit basis.
The distributed demarc approach involves the ISP placing the demarc within each individual unit. If the property is an MDU then this typically results in a residential gateway with media converter being deployed within each housing unit. If the property is a shared office building then a business router with media converter is typically deployed inside each office. Two common implementations of the distributed demarc approach involve the use of cable or DSL infrastructure within the property. The CMTS or DSLAM headend equipment is typically located on the property or in nearby coax, copper, or fiber cables running between the headend and each unit. Cable or DSL modems are present in each unit and act as the residential gateways which have integrated NAT routing, often with integrated wireless as well. Each unit on the property is treated in the same manner as if they were separate properties. The residential gateways have DHCP and NAT routing so the devices in each unit are all a privately addressed subnet.
The key benefit to the distributed demarc approach is per-unit isolation. The residential gateways and business routers provide each unit with their own private network. There is little possibility of the traffic from one unit accidentally or purposefully being accessed from a different unit. Furthermore traffic within the same unit is fully accessible by all devices within the unit thereby enabling the use of broadcast and multicast based protocols such as Apple's mDNS (aka Bonjour) and Microsoft's LLMNR for local device discovery. The key disadvantage of the distributed demarc approach is the time and cost associated with bringing a customer unit onboard. Residential gateways and business routers are typically installed when a unit is brought online and removed when the subscriber leaves the unit. This process usually involves a costly truck roll. Furthermore the subscriber must wait for the truck roll to occur before Internet access is provisioned. The subscriber anxiety generated by the process results in measurable dissatisfaction in quality surveys. Additionally, implementing a distributed demarc network can lead to performance degradation due to the wireless interference from each unit having separate wireless infrastructure.
A best of both worlds scenario results if a unique VLAN is assigned to each unit. A single demarc with shared distribution infrastructure enables simple physical layer subscriber on-boarding. The VLANs allow each unit to have its own private network, thus enabling the operation of Apple mDNS, Microsoft LLMNR and other communication between devices in the same unit. The unique VLAN for each unit blocks all cross-unit traffic which also defends against sniffing and other malicious behavior.
The provisioning of a unique VLAN per unit is a practice that is used in small and medium scale ISP deployments with a closed distribution fabric. Examples of closed distribution fabrics include fully wired infrastructures as well as combinations of wired and point-to-point and point-to-multipoint wireless infrastructures. Closed distribution fabrics exclude any kind of Wi-Fi that has open SSIDs. The ISP keeps track of VLAN assignments on a back office system (sometimes as simple as a list on a spreadsheet) and then manually provisions VLANs on the distribution infrastructure and gateway.
This approach is easily applied to shared properties (e.g., the MDU, office building and hotel scenarios) when there is no Wi-Fi component. For example, in an office building with N units, if a wired distribution infrastructure is deployed such that each of the N units has its own independent wired Ethernet termination point, then a static VLAN assignment may be made on a per-switchport basis when the distribution network is installed.
Extending the per-unit VLAN approach either to an entirely wireless network or to a Wi-Fi component of a wired and wireless infrastructure network is difficult. Most forms of isolation for Wi-Fi networks are only able to isolate on a per-device basis. The Wi-Fi infrastructure must recognize which wireless nodes belong in which group in order to do logical separation of device groups. In such an infrastructure, units may be logically configured as groups.
It is possible to manually configure multiple SSIDs or create MAC address lists within the wireless infrastructure equipment to provide isolation within a single SSID on a small scale. Large scale per-group isolation on Wi-Fi is almost universally accomplished via dynamic VLAN assigned by a RADIUS server. The device to group mapping must still be manually entered into the RADIUS server but this is usually less onerous than trying to manage multiple SSIDs and/or MAC lists within the Wi-Fi equipment itself.
A single entity operating its own network can easily deploy a Wi-Fi infrastructure using dynamic VLAN assignment with a RADIUS server when the IT personnel have knowledge regarding the set of all devices that will be allowed onto the network. If the set of devices is unavailable ahead of time then the IT personnel will certainly be in touch with people who wish to access the network. The exact opposite is true in a shared property scenario. None of the devices are known ahead of time and the ISP does not want to be in touch with customers every time there is a device change.
For the foregoing reasons, there is a need for a system that enables a service provider to deploy a network using the per-unit VLAN approach on a shared property with zero operator intervention.