[c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?

Andy Saykao andy.saykao at staff.netspace.net.au
Wed Aug 20 21:08:58 EDT 2008 

Well we don't have to worry about managing the CE side because this is
the customer's reponsibility, so gathering by what I've read so far,
using a public or private address space shouldn't matter.

I do agree with everyone that having a public address space for the
PE-CE link means that you'll never have to worry about what private
address space the customer is using on their LAN side. This is a nice
worry not to have :)

I also agree with Brandon that so long as you manage the address space
carefully across all of the links, it probably won't matter too much
whether you go with public or private.

Since my manager has already decided to use a private IP range for the
PE-CE link, we'll just have to take it case by case and hope we use an
obscure private range that no one else is using *fingers crosses*. If we
ever do encounter overlapping IP's and the customer can't change their
IP addressing scheme, I guess we can always pull out another obscure
private range to use.

Thanks for the interesting dicsussion.

Cheers.

Andy

-----Original Message-----
From: Christian MacNevin [mailto:christian.macnevin at gmail.com] 
Sent: Thursday, 21 August 2008 10:08 AM
To: Brandon Price
Cc: everton at lab.ipaccess.diveo.net.br; Andy Saykao;
cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public
IP?

Because you can never guarantee what addresses your customers are going
to use, and you can't force them to renumber, because they're paying
you. And adopting a new strategy for each customer that breaks you just
isn't scaleable.


On Aug 20, 2008, at 4:59 PM, Brandon Price wrote:

Other than just saying "its bad" can you give some specifics as to the
problems you've run into using private addresses for PE-CE links? As
long as the SP hands out unique addresses across all of the links, what
does it matter whether they are "private" or "public" ?


Brandon

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian
MacNevin
Sent: Wednesday, August 20, 2008 11:13 AM
To: everton at lab.ipaccess.diveo.net.br
Cc: Andy Saykao; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public
IP?

Agree with everyone who's agreed with point 5 :)

I've been in MPLS SPs for years and regretted every time I've seen
somebody try and use private space for management.


On Aug 20, 2008, at 9:47 AM, Everton da Silva Marques wrote:

> On Wed, Aug 20, 2008 at 11:19:43AM +1000, Andy Saykao wrote:
>> Just wondering from those in the know, whether it's best practice to 
>> implement public or private IP's for the PE-to-CE link. What's 
>> everyone using and why?
>
> There is a kind of best practices in a presentation from Cisco 
> Networkers 2008. Slide 83 content is reproduced below.
>
> Cisco Networkers 2008
> BRKIPM-2001: Deploying MPLS VPN Networks by Dirk Schroetter
>
> Best Practices
>
> 1. Use RR to scale BGP; deploy RRs in pair for the redundancy Keep RRs

> out of the forwarding paths and disable CEF (saves memory)
>
> 2. RT and RD should have ASN in them i.e. ASN: X Reserve first few 
> 100s of X for the internal purposes such as filtering
>
> 3. Consider unique RD per VRF per PE, if load sharing of VPN traffic 
> is required
>
> 4. Don't use customer names as the VRF names; nightmare for the NOC.
> Use simple combination of numbers and characters in the VRF name For 
> example: v101, v102, v201, v202, etc. Use description.
>
> 5. PE-CE IP address should come out of SP.s public address space to 
> avoid overlapping Use /31 subnetting on PE-CE interfaces
>
> 6. Define an upper limit at the PE on the number of prefixes received 
> from the CE for each VRF or neighbor Max-prefix within the VRF 
> configuration; Do suppress the inactive routes.
> Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
>
> Hope this helps,
> Everton
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.

More information about the cisco-nsp mailing list