[c-nsp] Best Practices for connecting MPLS core to Internet?

Ross Halliday ross.halliday at wtccommunications.ca
Mon Aug 8 10:43:19 EDT 2011 

Very much appreciate the feedback, you raise some valid points and introduce a few neat ideas to me.

> It's possible that I could be misunderstanding what you're
> trying to do, but this sounds overly complex for what you're
> trying to achieve.

Unfortunately I think I haven't communicated our scale very well. Most of the network is a single 6509 at a telephone central office with equipment hanging off of it. The primary goal is to carry voice traffic around. Our data subscribers are typically residential and small businesses; the average for "high end" is a /29 sent to their Fortigate or SonicWall.

We're looking at a gear list like:

1x 6509 for Internet connectivity
7x 6509 as MPLS P/PE wonder boxes
1x 7204 VXR NPE-G2 in a colo somewhere as MPLS P/PE (P-router except for a single EoMPLS)
?x assorted 7200s as PEs for T1s and PPPoE

We have a very small amount of customers that would consider a demarcation point anything other than a jack on a wall. Most of our deployed CEs consists of 2900 switches, with some 2620s where T1s appear.

> Is there any particular reason why you want to run the
> Internet in a VRF, regardless of scope?

My reasoning behind this is for management access. I very much like the idea of keeping any management networks away from Internet networks on an edge device. Compounding this is the software train we're using (12.2(33)SXI) has pretty lame VRF support for management protocols, which rules out the reverse of having management in a VRF and Internet in the global.

> Since you're looking to run iBGP on all your edge routers
> anyway, why aren't you looking at running the Internet in
> the global table, and just distribute it to the edge routers
> via iBGP (you've already identified numerous issues with
> trying to squeeze the Internet routing table in an l3vpn
> VRF).
> 
> You would then use your public ASN everywhere and not have
> to worry about private ASN's and stripping them toward eBGP
> neighbors, e.t.c.

I had thought about that - keeping the same ASN and using iBGP - but it seems to me that I'd need to not only set up the base VPNv4 stuff across the MPLS core but also additional peering from the Internet-connected system to the "internet" VRF on every single PE out there. It's definitely a possibility but seems pretty clunky to me.

> You could make your life easier by having a route reflector
> in your network to distribute BGP routes among your internal
> routers. These can be dedicated units or come from your
> existing infrastructure today.

I'll have to look more into route reflectors and what they can do. Like I wrote before, we're learning quite a bit :)

> I certainly wouldn't be keen on letting customers use my
> border router as an edge router. This would just kill your
> demarcation if you're worried about such things, and
> complicate your BGP routing policy and topology if you have
> other border routers talking to other upstreams, e.t.c.
> Also, criss-crossing EoMPLS tunnels across the network to
> connect customers to indirect boxes sounds more complex than
> is necessary.

On a larger network I'd definitely agree. However most of those 6509s I mentioned above are SUP720-3B non-XL so can't hold an Internet view anyway. At present we have only one customer that actually needs a full feed. Might grow that to two customers one of these days... ;)


Thanks a lot for your input.

Cheers
Ross

More information about the cisco-nsp mailing list