[c-nsp] internal enterprise MPLS/VRF recommendations

Higham, Josh jhigham at epri.com
Thu Jan 31 18:12:47 EST 2008


I have a couple of internal groups that need some level of private
connectivity within our network, and I'm looking at some high level
input about the various options.

We currently have an MPLS network between most sites, with IPSEC
connectivity for a few minor sites as well as backup for all locations.
Number of sites is small and will stay in that range (10-20).

We need to be able to connect networks internally, but maintain
security.  One example is guest networks, which must be able to traverse
the internally network to have internet redundancy, as well as hit DMZ
servers at all locations.  We also have some internal non-network labs
that need to be connected across sites without impacting the production
network.

We do have a fair amount of control to dictate the limits of what can be
handled.  While we could use full MPLS and have complete transparency,
it is also possible to just restrict the traffic to certain networks.
However it'd be nice to building it fairly flexible from the ground up.

There are several options that I can think of, but I would like input
about the weaknesses or complexity and any options that I might be
missing.

1) ACLs on interfaces, but route traffic as normal
2) L2TPv3 tunnels
3) VRF at each site, route between sites normally
4) VRF at each site with GRE tunnels between
5) MPLS carried internally as well as externally
6) ... ?

Thanks for your help,
Josh


More information about the cisco-nsp mailing list