hang10z
asked on
MPLS Network Design
Hello,
I have to help design a mpls network.. I am trying to learn as much as possible by reading but really need some interactive input. Here is a history and the equipment i have to work with....
We have 4 offices in the US. Currently they all have seperate ISP for internet access. We also have two sites in the UK. Linking them all together are openvpn ssl tunnels. We have a mesh networking meaning each site has its own link to all other sites. We are upgrading our network to an all MetroE/MPLS network with one service provider for our interoffice connectivity only.. each site will still have its own internet access. THis does not include the UK offices.. they will not be on mpls....
The provider is Paetec, they offer a layer 3 MPLS network.. so we are going to use ebgp on our routers.(thats all they support)
Each site has a ASA5110, a cisco 2811 router and CAT 2960 Switches.... these are inplace already and are in production, the routers currently provide our video conferening units a dedicated network (T1s).. the video will be moved on the the mpls network, freeing up the routers for the mpls....
IS there an industry standard way to link all sites together? MY boss mentioned placing the mpls routers in their own vlan.. and then trunking the vlan on the outside with the existing internal subnets that we have in place at each site.. not sure what he mean't by that.. I thought you turned on bgp, set the as tags and then the network appeared to all be on the lan....
Any practical real world help would be great...
I have to help design a mpls network.. I am trying to learn as much as possible by reading but really need some interactive input. Here is a history and the equipment i have to work with....
We have 4 offices in the US. Currently they all have seperate ISP for internet access. We also have two sites in the UK. Linking them all together are openvpn ssl tunnels. We have a mesh networking meaning each site has its own link to all other sites. We are upgrading our network to an all MetroE/MPLS network with one service provider for our interoffice connectivity only.. each site will still have its own internet access. THis does not include the UK offices.. they will not be on mpls....
The provider is Paetec, they offer a layer 3 MPLS network.. so we are going to use ebgp on our routers.(thats all they support)
Each site has a ASA5110, a cisco 2811 router and CAT 2960 Switches.... these are inplace already and are in production, the routers currently provide our video conferening units a dedicated network (T1s).. the video will be moved on the the mpls network, freeing up the routers for the mpls....
IS there an industry standard way to link all sites together? MY boss mentioned placing the mpls routers in their own vlan.. and then trunking the vlan on the outside with the existing internal subnets that we have in place at each site.. not sure what he mean't by that.. I thought you turned on bgp, set the as tags and then the network appeared to all be on the lan....
Any practical real world help would be great...
there are two options:
1. (expensive) order mpls vpn service from global vpn service provider. in this case most probably you will be echanging layer 3 information with service provider.
2. (cheap) order cheap Internet access, put your own IPSEC VPN enabled devices and build your own vpn on top of it
actualy now as i understood you are using option 2. you have openssl tunnels over the internet
1. (expensive) order mpls vpn service from global vpn service provider. in this case most probably you will be echanging layer 3 information with service provider.
2. (cheap) order cheap Internet access, put your own IPSEC VPN enabled devices and build your own vpn on top of it
actualy now as i understood you are using option 2. you have openssl tunnels over the internet
Make your life easier: choose the managed router option from the provider. Trust me. Just trust me. If done wrong, MPLS can make you bald and old, fast.
Most providers will offer this for a nominal fee, because most MPLS issues come from issues with the CPE configuration. They will also assist you with the optimal CPE configuration that you need. With that being said...
You will want the inside interface of the MPLS router on the subnet and VLAN that the hosts are going to be accessing it, INSIDE the firewalls. Your MPLS network will be connecting sites that are all behind a firewall, creating a VPN by default. And as Paulsolov said, ASA's dont allow for split horizon... but to go further than that, you dont want the ASA processing rules on what will really be "local" traffic.
Most providers will offer this for a nominal fee, because most MPLS issues come from issues with the CPE configuration. They will also assist you with the optimal CPE configuration that you need. With that being said...
You will want the inside interface of the MPLS router on the subnet and VLAN that the hosts are going to be accessing it, INSIDE the firewalls. Your MPLS network will be connecting sites that are all behind a firewall, creating a VPN by default. And as Paulsolov said, ASA's dont allow for split horizon... but to go further than that, you dont want the ASA processing rules on what will really be "local" traffic.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The reason to use a L3 switch or MPLS router for default gateway at each site is that the ASA's do not allow for split horizon (do not allow outbound packets to come back in on the same interface)
This keeps things simple.
My $.02