[c-nsp] Best Practices for connecting MPLS core to Internet?

[Ross Halliday]

Hello list,

We're working on getting ourselves over to an MPLS core and I've hit a bit of a snag with how we're going to actually connect it to the Internet. Our current setup is very simple: We run eBGP on an edge router with a public ASN and our IGP is OSPF. Of course with MPLS we're looking at running BGP everywhere.

My first thought was to have MPLS running on our box that does all of the Internet peering, a 6509 on SUP720-3BXL, that downloads the 300,000+ routes from three peers into an "internet" VRF. Access for the "internet" VRF on the rest of the network would be accomplished by advertising a 0.0.0.0/0 route as a VPNv4 prefix and use BGP AS 23252 all over the place, just letting MP-iBGP on the core take care of things. I got the default route part working great but after learning more about how the Internet routes get installed into TCAM I realize that the whole Internet-in-a-VRF-with-MPLS isn't going to work very well unless we pony up some big bucks.

So my next idea is to break off the Internet-facing box and run it like a big, fat CE. Have the full feeds dump into an "internet" VRF (keeping traffic away from core infrastructure) as our real public ASN, and then eBGP peering with a PE/P router on our MPLS core to distribute only a default route. That router would only advertise our real allocated prefixes as our real ASN without any other hops in the path, and the eBGP session to the private PE would be configured like in http://blog.ioshints.info/2007/11/bgp-default-route.html. The setup would look like:
                                                           
                                                    /-> AS 64512
full feeds--> AS 9 <--eBGP--> AS 64512 <--iBGP VPNv4--> AS 64512
                                                    \-> AS 64512

It seems to simplify things as the router with AS9 won't obliterate its TCAM with MPLS labels, and (unless I am mistaken) I can kill VPNv4 prefix generation by omitting the "route-target export" command within the VRF config itself.

As for linking to downstream customers, my thoughts are that if one requires a full feed, we can do eBGP multihop or an EoMPLS tunnel directly to the system with AS9. More common for us, however, would be a subscriber who simply wants to link multiple sites through our network; either multiple links with 0/0 routes for redundancy, or maybe it's a VPN.

What I'd like to do is present our entire core as our public AS. It seems cleaner to me to just stick with one AS facing towards third parties, as well as reducing the chances of a collision in the small private AS space. For setting up peering to a downstream customer, I've seen some commands floating around like:

	neighbor 1.2.3.4 local-as 9 no-prepend replace-as
	neighbor 1.2.3.4 remove-private-as

Does this all sound right to you folks? Am I completely insane? Should I even bother hiding the private AS number? I think this will accomplish my goal but I'd like to hear what other people are doing. Most of this stuff I've learned/thought about since getting to work this morning so go easy on me, heheh.

Thanks
Ross