In a continuation of our MPLS deep-dive series, Nick Russo, Russ White, Jordan Martin, and Eyvonne Sharp return to discuss some of the operational considerations when using MPLS VPNs.
We would like to thank Core BTS for sponsoring this episode of Network Collective. Core BTS focuses on partnering with your company to deliver technical solutions that enhance and drive your business. If you’re looking for a partner to help your technology teams take the next step, you can reach out to Core BTS by emailing them here.
We also would also like to thank Cumulus Networks for sponsoring this episode of Network Collective. Cumulus is bringing S.O.U.L. back to the network. Simple. Open. Untethered. Linux. For more information about how you can bring S.O.U.L. to your network, head on over to https://cumulusnetworks.com/networkcollectivehassoul. There you can find out how Cumulus Networks can help you build a datacenter as efficient and as flexible as the worlds largest data centers and try Cumulus technology absolutely free.
Show Notes:
When enterprise use the term “MPLS”, SP provided VPNS is often what they mean
Generally means a private WAN service, L2 or L3VPN
Quick packet walk (L3VPN only)
CE sends IP packet to ingress PE
Ingress PE performs lookup in FIB
Ingress PE pushes labels in the order in which route recursion occurs
Ingress PE sends to core
Core routers lookup in LFIB for label swaps
Egress PE receives from core
Assuming PHP, egress PE consults LFIB
Action is to remove all labels and send to CE
Overlapping routes in L3VPNs using RD. Makes routes unique, and can be used to engineer HA at the edge (unique RD == copies of same route)
Suppose there are 2 egress PEs which learn the same route. It would be good if the ingress PE could learn the route from both ASBRs. If RRs are in use, this might be harder since RRs hide topology. Unique RD means the RRs will keep routes separate, and advertise both to ingress PE
Enable BGP prefix independent convergence (PIC) edge to install both routes, one as primary, one as repair
L3VPN advantages
Massively scalable L3VPNs, easy extranet/central services support
Trivial to add new sites to existing VPNs, or make changes
Media independent
L2VPN advantages
No routing exchange with customer
Easier for customer to change things (non-IP, IPv6, multicast, etc)
Other handy uses
Internet VPN: for ISPs, there are obvious security advantages to putting the internet in a VPN. It’s easy to import to customers, and ensures the internet can never attack the core. Tradeoff is more state (memory consumed) due to RD and if multiple VRFs on a PE need internet, lots of route duplication. Compare this to route leaking from global table, which is more efficiently, but complex and less secure.
Scrubbing center: A central site where all traffic must traverse can be engineered by making a CE a transit site. Work the RTs appropriately.
Half-duplex VRF: Similar to example above, two access sites need to route via a central site to talk laterally (upstream and downstream VRF defined). Somewhat analogous to private VLANs.
