Need some honest opinions about Campus VPNs - MPLS in the Enterprise

ens · ‎03-31-2005

Our organization is considering the new Cisco Campus VPN model for one of our new research facilities (~1000 people). They are suggesting a Layer 3 MPLS-iBGP-VPN Core and Distribution Layer (between the PEs) and Layer 2 at the Access. This seems unnecessarily complex and rather difficult to manage. We're going to end up with anywhere from 30-50 VRFs, and we'll end up having to place 6500s w/Sup 720s everywhere (even at the Access). This sounds like overkill to me. Thoughts?

nisha_kulkarni · ‎03-31-2005

Well I really don't understand the idea behind going for 6500 at ACCESS when u can have catlyst 3550.

u can go thru this link for details....

http://www.cisco.com/en/US/netsol/ns340/ns394/ns147/ns17/networking_solutions_white_paper09186a00800a3e16.shtml

http://www.cisco.com/en/US/netsol/ns340/ns394/ns147/ns17/networking_solutions_design_guidance09186a00800a3887.html

b-watkins · ‎04-04-2005

I guess the first question is: what are your needs? If it's overkill for your needs, then you don't need it.

On the face of it, this sounds much like something I've been considering for some time now. Do you happen to have a link to a white paper describing this model? On first glance I couldn't find one on the cisco.com website. I'd be interested if their official position regarding architecture matches up to what I was thinking.

ens · ‎04-04-2005

The white paper is titled "Cisco Campus Virtual Private Network Solution". Here's the link.

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns24/c654/cdccont_0900aecd800d8d2a.pdf

Please let me know what you think...

b-watkins · ‎04-05-2005

It basically reads like I wrote a paper describing what I've been thinking about. ;)

So I guess that means I like the architecture as a general rule. My question to some degree still stands regarding what it is you want and what you need for your environment.

If you really need the kind of services afforded by this design, then there's not much else you can do that's scalable.

However, I noticed when the Superverisor 32 came out that it mentioned future MPLS support. I don't know what timeframe the necessary software will come out in (or if it's out already), but depending on the timeframe for your implementation it may be possible for them to coincide in some beneficial way. That would certainly save you rather a lot of money I suspect, as the Sup32s are quite a bit less expensive than the Sup720s (particularly if you're considering having two in each chassis for redundancy). Like I said, I have no idea about availability, but it may be something to consider if you can weasel some dates out of your Cisco salesman (or woman).

ens · ‎04-05-2005

I guess the 2 primary advantages are network isolation and security centralization (via the FWSMs in the Core/Distribution switchs). This architecture allows us to administer virtual FWs from one location, and avoids the overhead associated with managing ACLs at the distribution Layer. How do you feel about VRFs? Will the VRFs be easy to manage and maintain? We'll be hosting a University-like environment where various research teams will be provided with network services. I've heard from other vendors that MPLS is more of a service-provider technology. Do you think it's appropriate in the enterprise?

b-watkins · ‎04-05-2005

VRFs are fairly easy to manage, certainly more so than some elaborate scheme with ACLs and such. I've been working in the lab for some time now trying to get myself familiar with MPLS VPNs and once you understand the core concepts it's relatively simple actually.

As for MPLS being a service-provider technology, I'm not so sure that's true. It's certainly seen the most widespread deployment there as SPs have a tendency to have the largest networks in addition to wanting/needing to offer the types of services that MPLS (and MPLS VPNs, etc.) can provide. But I think the technologies are certainly applicable to the enterprise, particularly in situations such as yours and mine where having isolated networks supported by the same physical infrastructure is a huge boon to manageability.