[c-nsp] Internet vrf, pros and cons

Tomas Daniska tomas at soitron.com
Tue May 6 07:10:22 EDT 2008



> 
> Hi
> We area going to deploy a new MPLS network which will be used for Internet
> customers and IP/VPN customers. I understand that there are two options
> with running these networks:
> 1. Run the internet natively across all boxes and secure them down against
> DoS attacks etc
> 2. Create an Internet VRF whereby all internet traffic is simply seen as a
> large IPVPN network, thereby utilising some of the inherent security
> factors associated with IPVPNS
> My question is whether anyone has other pros and cons from real life
> experience, associated with the two options previously stated.
> I would like to add that the platforms will be provisionally Cisco 6500s
> with SUP720s (edge) and Cisco XR 12406's (core)
> Regards
> Mark
> 
 
You can do that, I did it for one customer on a 12k/7k6 network and it works. You did not mention whether you want to do default routing or full BGP in the VPN. Having the latter on 6k5/7k6 (although supported by -XL hardware) brings some serious limitations to the network, as BGP/prefix/TCAM/whatever else processing on the platform is far from optimal. Consider this especially if anything like fast convergence is your goal. But then - yes, there's so many nice thingies on having inet in VPN...

And then - the folks still have some issues when the full-BGP VRF on the 7k6 occasionaly stops forwarding anything, but that probably is a different story.

--

deejay



More information about the cisco-nsp mailing list