[c-nsp] Best Practices for connecting MPLS core to Internet?

Mark Tinka mtinka at globaltransit.net
Fri Aug 5 12:33:45 EDT 2011 

On Friday, August 05, 2011 03:11:15 AM Ross Halliday wrote:

> Does this all sound right to you folks? Am I completely
> insane? Should I even bother hiding the private AS
> number? I think this will accomplish my goal but I'd
> like to hear what other people are doing. Most of this
> stuff I've learned/thought about since getting to work
> this morning so go easy on me, heheh.

It's possible that I could be misunderstanding what you're 
trying to do, but this sounds overly complex for what you're 
trying to achieve.

Is there any particular reason why you want to run the 
Internet in a VRF, regardless of scope?

Since you're looking to run iBGP on all your edge routers 
anyway, why aren't you looking at running the Internet in 
the global table, and just distribute it to the edge routers 
via iBGP (you've already identified numerous issues with 
trying to squeeze the Internet routing table in an l3vpn 
VRF).

You would then use your public ASN everywhere and not have 
to worry about private ASN's and stripping them toward eBGP 
neighbors, e.t.c.

You could make your life easier by having a route reflector 
in your network to distribute BGP routes among your internal 
routers. These can be dedicated units or come from your 
existing infrastructure today.

I certainly wouldn't be keen on letting customers use my 
border router as an edge router. This would just kill your 
demarcation if you're worried about such things, and 
complicate your BGP routing policy and topology if you have 
other border routers talking to other upstreams, e.t.c. 
Also, criss-crossing EoMPLS tunnels across the network to 
connect customers to indirect boxes sounds more complex than 
is necessary.

Again, it's possible I'm misunderstanding the problem you're 
trying to solve, but based on what I've read, your solution 
sounds too complicated. What we do is:

	o Perimetre routers run MPLS, an IGP, eBGP and iBGP.
	  These perimetre routers can be:

		- border routers.
		- public peering routers.
		- private peering routers.
		- edge routers.
		- RTBH routers.
		- MPLS-capable Access switches.
		- e.t.c.

	  In MPLS terms, these are PE routers.

	o Core routers, which tend to run MPLS, an IGP and
	  BGP for IPv6 only. No BGP for IPv4. All IPv4
	  packet forwarding is done purely via MPLS. In MPLS
	  terms, these are P routers. 

	o Route reflectors, which tend to run an IGP and
	  iBGP only. No MPLS.

	o Everything runs under our public ASN.

	o Customers connect to and peer with us at the edge.

	o Border/peering routers do only that, peer with
	  upstreams, exchange point and private peers.

It works! It's advanced, but simple.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110806/f2ab0217/attachment.pgp>

More information about the cisco-nsp mailing list