[c-nsp] Customer MPLS + VPN + BGP config

Josh usenetspamtrap at yahoo.com
Fri Mar 30 15:04:42 EST 2007


I'm looking at some input about best practices and
things to watch out for as we implement MPLS
connections between our offices.  This is long-winded,
but hopefully it answers all the questions.

I know that I can make this work any number of ways,
but am looking for experience about what routes are
likely to be maintenance nightmares, or paint us into
a corner for the future.

We have three hub sites and about 10 remote sites. 
The hub sites have a core network, firewall and
external network (connects to edge devices, outside of
firewall, outside of VPN router).  The remote sites
have a router for internet+vpn, that connects to an L2
switch for LAN access, and would add another router
connected to MPLS to increase redundancy in these
locations.

We run EIGRP throughout, although it does not go
through the firewall, so static routes on the firewall
and edge equipment.

The basic requirements are:
* Internal traffic uses MPLS when available
* VPN unused unless MPLS is down
* default route over MPLS if the internet/VPN link is
down
(we are not doing internet access on the MPLS link, as
I don't like that from a security or design
perspective)

The MPLS equipment will run eBGP as that is the only
option (aside from static routes).

Options:
1) Continue with EIGRP throughout, eBGP on MPLS
The redistribution factors (bandwidth/delay/etc) would
be set so that MPLS routes have a better metric than
VPN.  This would require announcing all routes, rather
than just site routes.  There isn't a performance
issue (~100 routes), but it seems like an overall bad
practice.

At one point I felt like this was a concern because we
wouldn't have deterministic routing (EIGRP could
theoretically send traffic over the VPN), but after
reflection I think I'm just not trusting the routing
protocol enough.  I should be able to redistribute
from eBGP with a metric that the VPN would never beat,
right (unless something was already really broken)?

2) Run iBGP on the VPN, EIGRP internally, eBGP on MPLS
Using iBGP means that the IGP or eBGP routes would be
preferred locally which is good.  It means different
equipment at each site would have different ASNs
configured, which could be bad practice (one option is
running the same ASN and having the carrier do ASN
translation, but that seems even worse practice?).

3) Run eBGP on both links AND cores
Here we could use as-path or other options to prefer
the MPLS routes.  Strictly speaking, we wouldn't even
need to run an IGP.

Unrelated to the above choices, I have to figure out
how to get the default route from the edge routers to
the core (through the firewall) at each hub site.  I
can change to OSPF and run on the firewall, or do
something funky to tunnel the routing protocol over
the firewall.  I don't like running a routing protocol
on the firewall very much, but the tunneling option
looks strange too.  If we are doing option 3 above, we
could run BGP and wouldn't need to tunnel, so that's
another option (we just need the default, not full
feeds.

TIA


 
____________________________________________________________________________________
Bored stiff? Loosen up... 
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front


More information about the cisco-nsp mailing list