Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

reserve a seat
back to overview

Extending MPLS/VPN to Customer Sites

Erich has encountered a familiar MPLS/VPN design challenge:

We have Cisco's 2901s with the data license running MPLS/VPN on customer site (the classical PE is at the customer site). Should we use eBGP between CPE router and network edge router, some sort of iBGP route reflector design, or something completely different?

The “it depends” answer depends primarily on how much you can trust the routers installed at the customer site (CPE routers).

CPE router is managed by the service provider

If the service provider considers the CPE routers trustworthy enough to be part of the MPLS/VPN backbone, we’re dealing with a traditional MPLS/VPN network (admittedly an order of magnitude bigger than usual).

If you don’t want to extend IGP to customer sites for scalability or performance reasons, use Inter-AS MPLS/VPN (Option B) between the CPE routers and network edge routers. If you’re running out of private AS numbers, put all CPE routers in the same autonomous system (obviously you’d have to configure allowas-in on them).

CPE router is managed by the customer

A router you don’t trust should never become part of your MPLS/VPN backbone (it can easily pollute your VPNv4 tables); I would also have qualms running Inter-AS MPLS/VPN with it ... or use heavy inbound filters should someone force this design on me.

The ideal solution would be Carrier’s Carrier (CsC) architecture – it was designed to address exactly this type of requirements.

Need more details?

No problem: all the designs mentioned above are described in my MPLS/VPN Architectures, Volume II, RFC 4364 is not a bad read either, and I’m always available for short consulting engagements.

1 comment:

  1. Hi Ivan,

    I would like to extend MPLS to CPE for the below reasons. Let me know please your thought on this.

    1. Plug and Play type of service.
    2. Provision L2 (P2P) and L3 vpn quickly.
    3. Different CPE port for different services.

    There will be maximum 500 CPE. I am thinking of creating different ospf leaf areas and in one area to keep the CPE number below 40. Routing table size is not a issue as well (2k routes)

    From security point of view, I am planning to ue MACSEC between PE (new P) and CE(new PE) link.

    The stability of the CPE link is not a concern.

    Any advice will be great.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Sidebar