[j-nsp] Separate internet transit network versus converged

Mark Tees marktees at gmail.com
Sat Mar 26 19:46:21 EDT 2016


Hello J-listers,

This is isn't specifically a Juniper question but seeing as the kit
will be Juniper I am floating this here.

I am looking at a design change for a network that I work in.
Currently the network is a converged MPLS network with full tables in
global/inet.0

Services operated over this network are IP transit, business internet,
layer 2 VPN, and layer 3 VPN. The VPN traffic is the most important
thing. Currently we use four traffic classes and
prioritise/queue/shape to suite NC, EF, AF, BE.

We are moving all of our internet transit/global table routing out to
separate boxes.

The easiest way to do this is to just connect the new boxes to the
existing MPLS network with separate RR's (out of the forwarding path)
for the internet routing boxes.

Now, the question has come up (mainly due to some other large carriers
locally here in AUS doing this) that given the opportunity should we
create a separate internet transit network. We would still use MPLS
between all the dedicated internet boxes (LDP+RSVP-TE) but it would a
separate MPLS network. We would then effectively treat the original
MPLS network as a transport network creating layer 2 circuits for the
internet network. In some cases we could even have circuits in the
internet network away from the original MPLS network (where we have
CWDM splits available etc etc).

Points to/for:

* Pro - VPN network is hidden from the internet completely.
DOS/control plane attacks become much more difficult.
 - This is negated by QOS/COS and properly maintaining infrastructure ACL's.
 - Also, negated by global table in VRF style. Customers are however
used to seeing a pretty traceroute.

* Pro - can use private addressing in the VPN network and free up a
decent amount of IPv4 to use.

* Con - increases the amount of circuits that needs to be maintained.
In theory they would not need to be touched too often.

* Pro - mistake in either networks IGP is not going to effect the other.

My gut feeling is that the safer option is to run things separately
but I also do not wish to create an administrative nightmare for other
people to work on the network.

Any input, experience, or additional points would be greatly appreciated.

Cheers,

Mark


More information about the juniper-nsp mailing list