This chapter will explain how the VLAN is fit together. This design does not pretend to be optimal, and work is in progress to design an infrastructure which is both scalable and provides failover for broken links. As it is, though, it works.
The network is designed around the idea that there will be 3 to 4 major routing hubs (or “NAP” for “Network Access Point”) to which everyone in a certain area connects to. Currently there are just two of these NAPs, with work in progress to add a third. Each of these NAPs have a subnet assigned in which all of its attached subnetworks live. The NAPs are connected to eachother with a high bandwidth link, in effect creating a multiple star topology. The below diagram shows how it should be, the next diagram shows how it is now.
Most interconnections between endpoints are point-to-point ipsec tunnels (or: transport mode) which encapsulate a point-to-point GRE tunnel. The result is a plain, with strong encryption protected, IPv4 path between the endpoints . The reason for choosing this GRE over IPSec construction is that IPSec in itself is fairly rigid in the network addresses it allows to be routed across an IPSec tunnel. Adding a GRE tunnel inside the IPSec tunnel circumvents that feature, and allows routing of random source addresses to random destination addresses. Added advantage is that multicast and friends have no problems crossing ipsec boundaries when GRE is used, which helps a lot with designing a dynamic routing scheme. Of course this scheme has disadvantages too, two of which are potential problems with packet fragmentation and large header overhead.