I am planning to extend the MPLS functionality to CPE. The CPE will be at customer premise and they are trustworthy at some extent.
It will be good to know what your thoughts about this. Pros and Cons, design considerations, security etc.
If it is a VPN service provided (over MPLS core) for different sites, I think it should be ok. Hope you might be aware that ACL may not work on labelled packet. So if you have a requirement to block some traffic using ACL policy, it may not work.
Is it a VPN service?.
Yes, there will be mainly layer 3 VPN and some l2 VPN( mostly point to point) as well.
IP address will be managed by us.
There will be around 10 DC. Maximum 600 clients and maximum 10k routes.
I have a plan to put each Region/DC in its own OSPF leaf area and extend vrf capability to CPE for quick provisioning.
There will be BGP Route Reflector design as well which will be hierarchical in the long run.
MPLS to CPE. Well best solution is to use eBGP as PE-CE protocol.
You can define service subscriptions from CPE itself. Less burden in PE
You cant do packet filtering in CPE outside.