[c-nsp] internal enterprise MPLS/VRF recommendations

David Freedman david.freedman at uk.clara.net
Fri Feb 1 06:24:23 EST 2008


Higham, Josh wrote:
> I have a couple of internal groups that need some level of private
> connectivity within our network, and I'm looking at some high level
> input about the various options.
> 
> We currently have an MPLS network between most sites, with IPSEC
> connectivity for a few minor sites as well as backup for all locations.
> Number of sites is small and will stay in that range (10-20).
> 
> We need to be able to connect networks internally, but maintain
> security.  One example is guest networks, which must be able to traverse
> the internally network to have internet redundancy, as well as hit DMZ
> servers at all locations.  We also have some internal non-network labs
> that need to be connected across sites without impacting the production
> network.

Sounds like multiple VRFs, deploy multiple VRFs at each site and have
them follow the default back to devices which can groom the VRFs out and 
route between them (perhaps applying ACLs or firewall policy),
you can distribute these devices such to improve performance (follow 
least cost IGP path to next hop for egress from VRF) and give you a bit 
of redundancy.


> 



More information about the cisco-nsp mailing list