[c-nsp] Using MPLS PEs as gateways for access layer

Peter Rathlev peter at rathlev.dk
Wed Nov 30 11:08:26 EST 2016


On Tue, 2016-11-29 at 19:14 -0500, Ryan L wrote:
> Is it somewhat accepted design to run L3VPN in a scenario where the
> PEs in DC1 are vrrp active/standby for DC1 VLANs in all VRFs, and the
> PEs in DC2 are active/standby for DC2 VLANs in all VRFs, and so on?
> From each PE, there'd be a layer 2 path to the edge hosts within
> those sites, and we're talking pure routing here, no state tracking
> devices, etc. PEs would be meshed iBGP either full or w/RRs.

To chime in: Using PE as the access network gateway works well IMHO. We
have been using it for many years both in datacenters and medium/large
enterprise access.

A bad actor can almost invariably take out whatever they have a L2
connection to, and a Sup720 isn't very resilient. Make sure you have a
sane CoPP but keep in mind that it generally cannot match local broad-
or multicast traffic. Hardware rate-limiters can help you with that to
a certain degree.

This is of course exactly the same whether you use VRF Lite or "real"
MPLS L3VPN. In my eyes there's no downside to using MPLS L3VPN on the
router that acts as gateway for a given access network.

-- 
Peter



More information about the cisco-nsp mailing list