[c-nsp] MPLS
Ivan Pepelnjak
ip at ioshints.info
Sat May 30 12:12:02 EDT 2009
Absolutely agree with Bruce. For your particular setup, it would be best to
use two pseudowires (A-B and B-C) and run your own routing protocol over
them. This would (worst case, try to avoid) also allow you to transport
non-IP LAN data between sites (I don't know what DS8100 can do). However,
keep in mind that VPWS or VPLS are not 100% reliable (you might experience
packet drops, jitter or congestion), so check what's acceptable with your
SAN vendor.
As for security: don't rely on the "MPLS/VPN is secure" pamphlets published
by vendors and "independent" labs. MPLS VPN is undoubtedly infinitely better
than public Internet, but if you need true security, use IPSEC. More details
here:
http://blog.ioshints.info/2009/04/true-or-false-mpls-vpns-offer.html
Hope this helps
Ivan
http://www.ioshints.info/about
http://blog.ioshints.info/
> -----Original Message-----
> From: Bruce Pinsky [mailto:bep at whack.org]
> Sent: Friday, May 29, 2009 6:27 PM
> To: madunix
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] MPLS
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> madunix wrote:
> > I have 3x sites with DS8100 SAN Storage at each side, I will be
> > replicating data from one side to another (A - B, synchronous,
> > distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use
> > MPLS based on IP-VPN since its secure and not visible to other
> > customers or internet.
> > Out of your experience ...what do you think about ?
> >
>
> Well, it's not "secure", it's simply routing isolated. If
> you want security, as in encryption, you will need to do that
> on your own.
>
> If you need low convergence times, MPLS/VPN is probably not
> your best choice. I don't know of many (if any) providers
> who will guarantee the convergence times through their
> network. You should expect convergence times in the 10's of
> seconds or more for certain types of failures.
>
> You may want to consider getting an L2VPN solution such as
> VPWS or VPLS and running your own routing protocol and
> failure detection methods.
>
> - --
> =========
> bep
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkogDOQACgkQE1XcgMgrtyZGgQCfWiGT5lRQBBLSfgG20sBbXsHr
> 0mIAoNr/tvJ7D+aP19LhTzlz2e6aJjXP
> =Cr6s
> -----END PGP SIGNATURE-----
>
>
More information about the cisco-nsp
mailing list