[c-nsp] Using MPLS PEs as gateways for access layer

[Phil Mayers]

On 30/11/16 00:14, Ryan L wrote:
> Hey all,
>
> Apologies if this is a muppet question, but still getting my bearings with
> MPLS. Most L3VPN designs I've checked out don't really address this
> specific design...
>
> I've got a multi-tenant network that would either be done w/VRF-lite or
> L3VPN, but I don't have a CE router, per se.
>
> Is it somewhat accepted design to run L3VPN in a scenario where the PEs in

I don't know about "accepted" but PE-only (no CE) as well as collapsed 
P/PE can work - we do both in a campus MPLS L3VPN environment on a mix 
of older sup720, newer sup2t/6880 and N7k M1 hardware, as well as 
Juniper SRX in packet-mode for smaller sites. We've tested on other 
platforms and vendors as well, and found it to generally work.

Be aware that in clients-on-PE designs the traffic will probably be 
arriving via an aggregate label & subsequent IP lookup, which on some 
platforms might require a 2nd pass through the forwarding pipeline, 
which may or may not be an issue.

Also some kit is weird about doing label pop in combination with 
"egress" features like ACLs or QoS.

If you are considering a merchant silicon platform I would pay 
particular attention to these kinds of issues; forwarding to adjacent 
clients via MPLS pop, IP lookup is quite different to MPLS pop + L2 
rewrite, the latter being what takes place with a PE-CE static or 
dynamic route.

Most of these are likely non-issues with VRF lite because the arriving 
traffic is just vlan-tagged IP so usually nothing special. Downside is 
of course you're having the pain of running VRF-lite which for anything 
other than a trivial number of very static VRFs is painful - but we used 
to do PE-only VRF-lite, and it worked there too.