MPLS Network Design

Posted on 2008-11-03
Last Modified: 2009-10-06

I have to help design a mpls network..  I am trying to learn as much as possible by reading but really need some interactive input.  Here is a history and the equipment i have to work with....

We have 4 offices in the US.  Currently they all have seperate ISP for internet access.  We also have two sites in the UK.   Linking them all together are openvpn ssl tunnels.  We have a mesh networking meaning each site has its own link to all other sites.   We are upgrading our network to an all MetroE/MPLS network with one service provider for our interoffice connectivity only.. each site will still have its own internet access.  THis does not include the UK offices.. they will not be on mpls....
The provider is Paetec, they offer a layer 3 MPLS network.. so we are going to use ebgp on our routers.(thats all they support)

Each site has a ASA5110, a cisco 2811 router and CAT 2960 Switches....  these are inplace already and are in production, the routers currently provide our video conferening units a dedicated network (T1s).. the video will be moved on the the mpls network, freeing up the routers for the mpls....  

IS there an industry standard way to link all sites together?  MY boss mentioned placing the mpls routers in their own vlan.. and then trunking the vlan on the outside with the existing internal subnets that we have in place at each site.. not sure what he mean't by that.. I thought you turned on bgp, set the as tags and then the network appeared to all be on the lan....  

Any practical real world help would be great...
Question by:hang10z
    LVL 42

    Expert Comment

    I would place the MPLS on the inside of each LAN.  For each site I would use the MPLS router or a layer 3 switch as the default gateway so that if it's a MPLS subnet it will forward, if not it will use the route of last resort which will be the firewall at each location.  

    The reason to use a L3 switch or MPLS router for default gateway at each site is that the ASA's do not allow for split horizon (do not allow outbound packets to come back in on the same interface)

    This keeps things simple.

    My $.02

    Expert Comment

    there are two options:
    1. (expensive) order mpls vpn service from global vpn service provider. in this case most probably you will be echanging layer 3 information with service provider.
    2. (cheap) order cheap Internet access, put your own IPSEC VPN enabled devices and build your own vpn on top of it

    actualy now as i understood you are using option 2. you have openssl tunnels over the internet

    Expert Comment

    Make your life easier: choose the managed router option from the provider.  Trust me.  Just trust me.  If done wrong, MPLS can make you bald and old, fast.

    Most providers will offer this for a nominal fee, because most MPLS issues come from issues with the CPE configuration.  They will also assist you with the optimal CPE configuration that you need.  With that being said...

    You will want the inside interface of the MPLS router on the subnet and VLAN that the hosts are going to be accessing it, INSIDE the firewalls.  Your MPLS network will be connecting sites that are all behind a firewall, creating a VPN by default.  And as Paulsolov said, ASA's dont allow for split horizon... but to go further than that, you dont want the ASA processing rules on what will really be "local" traffic.  

    Accepted Solution

    Actually I figured it all out and I have a worldwide MPLS network...


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now