11 Replies Latest reply: May 22, 2019 12:29 AM by Juan RSS

    Architectural Suggestion Needed !!

    karthik

      Hi Everyone,

       

      Good Day !!

       

      Looking at long term deals for some of our clients we need to come up with model, that we manage end to end ODC infra.


      In most of our cases we extend our MPLS to client locations which is good for a reason, but in case we are instructed to go with client recommended MPLS connection then for integration in to our network I need recommendation to restrict/plan/implement such networks during integration.


      Kindly share your High Level and Some insights on Low level design of this kind.



      With Regards,

      Karthik Reddy

        • 1. Re: Architectural Suggestion Needed !!
          Juan

          Hi karthik ,


          I have some doubts about your intended design. I understand that your company provides MPLS L3 VPN services to your customer base. Right? From my understanding, one of your customers is running it's own MPLS network and you want to be able to integrate their network, that may span multiple locations, using your (SP) MPLS backbone. Am I right?.


          Please, provide additional information if I'm wrong.


          Regards!

          • 2. Re: Architectural Suggestion Needed !!
            karthik

            HI Juan,

             

            My Answer is YES to your both of your questions.

             

            info: let say My Organization has Verizon & ATT MPLS Services to provide client secure connections usually (if they afford costs ,we order and deliver circuit and our managed router to connect to client LAN/FW).

             

            Now the case is like, client want to use their existing MPLS services (let's take any other MPLS services), How can we achieve client connectivity with different MPLS providers is one question, later how can we segregate a their not conflicting with our Networks (eg 10.x.x.x if they advertise ; VRF may be not a workable solution as we cant use the same MPLS interface in existing and new VRF) 

             

             

            please share your inputs.

             

            Regards,

            Karthik Reddy

            • 3. Re: Architectural Suggestion Needed !!
              Juan

              Hi karthik

               

              This is a multi-domain question IMO. I'll try to give some inputs with the information you provided.

               

              • The interconnection with multiple MPLS providers can be achieved if both have a peering agreement to interconnect their customer base. Usually you have several technical options (A,B,C... and sometimes AB aka D). The most secure of them and the one that enables the more granular QoS support is option A. On the other side, option C is a much more scalable solution but requires strict security (and TRUST) measures between providers. Inter-AS is the "cleanest" solution, not the only one though.
              • I understand you are sharing your company-wide MPLS L3 VPN Service to provide services to your other customers. That is not a recommended approach and I would discourage you to do so (if I'm understanding wrong, feel free to tell me that). MPLS L3 VPN service instances allows you to isolate multiple VPNs over the same infrastructure.
              • In the case the customer have their own MPLS network and they need only to interconnect geographically disperse sites or POPs, perhaps you can go with a CsC solution. In this case the SP backbone is used only as transit and is agnostic to the VPN information.

               

              There are plenty of solutions. Each solves a particular problem in a given scenario. You need to pick the business needs and balance the requirements and constraints to pick the one that most suits your needs.

               

              IHTH a little. Best regards!

              • 4. Re: Architectural Suggestion Needed !!
                karthik

                Hi Juan,

                 

                Thanks for the inputs.

                 

                Please check the attachment and share your inputs.interconnect MPLS SP.PNG

                 

                Please share the information on the interconnect options A,C.

                 

                Thanks & Regards,

                Karthik Reddy

                • 5. Re: Architectural Suggestion Needed !!
                  Juan

                  Hi karthik

                   

                  Inter-AS options A and C are totally different options, being the most relevant differences between the two the scalability and security design aspects.

                   

                  • Option A
                    • Simplest and more secure option <---
                    • Per-VPN filtering, accounting and policing made easy
                    • ASBR connectivity
                      • 1:1 mapping (virtual or physical)
                      • Native IP forwarding (no MPLS)
                      • EBGP recommended (policy control and scalability)
                    • Limited scalability <---
                    • Increased operational complexity as ^grow


                  • Option C:
                    • ASBR Connectivity:
                      • MP-EBGP session between the RR of each SP
                      • IGP + LDP or EBGP + LABEL (infrastructure prefixes)
                    • Most scalable, ASBRs does NOT need to carry VPN routes <---
                    • End-to-end VPN label
                      • Keep the VPNv4 NHs unchanged (no next-hop-selfs)
                    • Network security issues <---
                      • SPs not under the same administrative domain
                      • Requires leaking of infrastructure (at least loopbacks reachability)

                   

                  I would recommend you to analyse both options with your SPs in advance, because not all of them supports every connectivity option.

                   

                  You need to consider the service costs too, because for SPs that are located in different geographical locations, that could be a very important factor to consider.

                   

                  Best regards.

                  • 6. Re: Architectural Suggestion Needed !!
                    karthik

                    Hi Juan,

                     

                    Thanks for sharing the information.

                     

                    Based on the above I have an attached situation. could you please review once and suggest on how things works.

                    inter-as VPN.PNG

                     

                    Can we limit the prefixes sending and receiving between the VPN client & My Organization ? if yes how to achieve that..

                     

                    if we can do that probably most of the things can be done using DMVPN. please correct me.

                     

                    Thanks,

                    Karthik Reddy

                    • 7. Re: Architectural Suggestion Needed !!
                      Juan

                      Hi karthik,

                       

                      Can we limit the prefixes sending and receiving between the VPN client & My Organization ? if yes how to achieve that..

                       

                      Depends on what you want to archive. You can go the usual way MPLS L3 VPN services uses to announce import/export VPNv4 routes or you can (if you need to do so) act over the back-to-back VRFs between ASBRs (option A, because with option C you loose that kind of granularity).

                       

                      if we can do that probably most of the things can be done using DMVPN. please correct me.

                       

                      That's another complete different approach. You can choose DMVPN over an alternative transport if your business requirements drive you to do so with the constraints you have in your case.

                       

                      Best regards!

                      • 8. Re: Architectural Suggestion Needed !!
                        karthik

                        Thanks for all the inputs Juan !!

                         

                        Can you share if any other feasibility to share prefixes without involving Service providers in L3 VPN MPLS service.

                         

                        If any other way to achieve this also helps !!!

                         

                        Appreciate all you support !!

                         

                        Regards,

                        Karthik Reddy

                        • 9. Re: Architectural Suggestion Needed !!
                          Juan

                          HI karthik ,


                          You're welcome.


                          Can you share if any other feasibility to share prefixes without involving Service providers in L3 VPN MPLS service.

                           

                          There are plenty of them. Assuming you need some kind of underlay transport to interconnect both ends (network virtualisation), the solutions go from simple GRE tuneling to SDx based solutions. I simply can't recommend you one, because I don't have enough information to do so.

                           

                          I would recommend you to be focused of the business first. Identifying their needs is crucial to introduce a technology as a business enabler instead of a stopper. Gather needs, constraints, functional requirements, etc... after that you can go to the technological comparison to find the one who best suits your needs.

                           

                          IHTH. Best regards. Have a nice day!

                          • 10. Re: Architectural Suggestion Needed !!
                            karthik

                            One last question in this regards, if we use MPLS as an underlay transport on both My side and client side with different Sp's backbone network involved, is there any go to receive client prefixes  without involving the SP.

                             

                            Regards,

                            Karthik Reddy

                            • 11. Re: Architectural Suggestion Needed !!
                              Juan

                              Hi karthik

                               

                              If you don't have reachability via the Inter-AS connection or some CsC setup between providers, then you can not receive the prefixes without additional reachability.

                               

                              How could you do that? Assuming you have Internet connectivity on both sides, you could hypothetically interconnect two "main" sites of both VPNs. The "main" here means that the site should have knowledge of the reachability information you want to share, as well as the appropriate capacity to receive an increased amount of traffic in the data plane.

                               

                              Once you receive the traffic from the remote L3 VPN, you'll need to take care of it, routing that traffic internally in the destination MPLS L3 VPN instance in coordination with your SP.

                               

                              HTH. Best regards !