New WISP Network - Is VPLS a Crazy Idea?

I am helping with planning a new network for local WISP that my friend is starting. I have some networking background (College, had my CCNA years ago) but never in a service provider setting, as well I my day to day job I am not doing much with routing and switching. I have the following working in GNS3 but have a couple questions. As well, if anyone wants to tell me if I am crazy or if I have gone about this completely wrong I am open to any criticism.

 

Before I start my rambling, here is a couple pictures of my test network and topology. http://ift.tt/2Ej6EuM

 

I will be setting a router up at each tower and then using a Mimosa A5C to deliver access to the clients using a Mimosa C5. Since the C5 can be auto provisioned and managed from the AP itself with Radius I will also have a Radius server in a data centre that our transport comes in to.

 

All the towers are setup on a 10.0.0.X/30 for each of the backbone interfaces. I have OSPF and MPLS setup to route the traffic back to the main tower and then over our transport provider back to the data centre. From the data centre the traffic will then be routed out to the internet with our interconnect provider (Hurricane Electric).

 

From the tower sites we have a VPLS tunnel for each tower terminating at the data centre. This allows us to have a Radius server in the data centre and use PPPoE if needed to route public IP addresses. Using VPLS it transports the tagged VLAN traffic to each interface that is bridged with the Mimosa access points that he C5 bridges connect to. The networks are then terminated on our main router and routed out to the internet.

 

For now I am using VLANs and DHCP on a server in the data centre to hand out addresses. I only have a /26 but am looking at getting more or implementing IPv6 and then using a translator to allow IPv4 access. Right now though the /26 should work well for what I need. At the towers the routers will hand out 10.0.X.0/24 addresses to the Mimosa C5 bridges. This allows them to connect to the network, provision from Radius and then get the customer router an IP address through the tunnel.

 

At the client site I have the Mimosa C5 bridges setup to to connect to the Mimosa access points on our towers and then allow the traffic depending on the VLAN to the client. If the client is getting a natted IP address they are put in VLAN 200. If the customer has a static, public IP they are put in to VLAN 300. The port on the C5 bridge becomes an access port. For instance, if they are in VLAN 200 they would be able to plug a router in and the router would then get a WAN IP of 172.16.0.20. If they are in VLAN 300 they would get a WAN IP of 200.200.200.20 on the router. VLAN 100 is reserved for our management LAN and is how we can access the C5 bridges to configure and monitor the connections.

 

The main issues that I am concerned about:

• Broadcast domains - Will this cause issues when using VPLS? I know I should have a routed network but my fear is that when I am tunneling it all back across a virtual layer 2 tunnel I am defeating the purpose of having a fully routed network.
• VLAN performance - Is this the best way to hand out IP addresses with DHCP and keep our management and data networks separate?
• Security for clients and our infrastructure - The Mimosa clients and tower access points have client isolation and I have rules setup on the routers to not allow traffic between hosts. With the way the VLAN is configured, as far as I can tell the client can’t have access to the C5 interface or any of our management network unless they were authenticated in Radius and then hooked up a laptop or such to their bridge that they programmed to get VLAN 100 data from.
• Any way to do this without using VPLS - Again, am I taking a routed network , making it complicated and then just doing a bridged architecture anyways? Am I over complicating things?

 

Sorry for the long post. Again, any feedback is much appreciated.