I'm part of a project to upgrade a univeristies campus network, and we're looking to move towards an MPLS structure. Now, I'm not really that familiar with MPLS, and I've been studying up on it to get to the level I need to be at. None of the other engineers here have any MPLS experience, so this is new territory for us. So what's being thrown out is a design I'm not sure that will work. We have two Juniper SRX firewalls that act as our main routers for the entire campus, or the end result is that they will be.... So the SRX's will not be doing any MPLS trafficking, as it can't do MPLS. We want to push MPLS down to each building on the campus, and all will be pushing MPLS labels on the edge devices. The next thing we want to do is get VPLS working for some of the same departments that are split up in different buildings. We are running OSPF inside the core and want to turn up LDP with some MPLS capable. So my concern is how will the firewalls will handle the transport of the VPLS packets across the network, it seems in my mind that the firewalls wouldn't correctly pass the traffic. Any thoughts? any way around this? Thanks for the help guys.
The first point, if you want a campus wide MPLS network to support L2 and L3VPN's then really you need all your core routers to be capable of running MPLS. Its possible to run MPLS over GRE tunnels, but as this is a core network you should not consider going down that path. And if you started passing traffic in GRE tunnels through the firewall, well what use is it then??
The second point, why would you even think of using your firewalls as the core routers, far better to use them to do their main task of securing the network, and let a router do the routing. This brings a number of benefits, a more logical design structure and mpls support.
Thanks for the reply. First off, let me say that I completely agree with everything you're saying. I am not a fan of using the firewalls to route everything. That decision was made by someone that gets paid a lot more than me. Our core devices are running MPLS, we're currently using RSVP with quick failover. I would love to see those devices do the MPLS routing, but I can't make that call. So, in light of that, I guess I'm stuck with what I got. How would you realistically solve this problem? Cisco came in and gave us a demo and suggested putting VRF's in everywhere, and using iBGP to complement our OSPF and give us full reachability using route reflectors, which I would imagine would sit on the firewalls?. I'm unsure of the technical level of our staff to handle all of this. We've lost some very good engineers over the past couple of years, and none of us have the experience to really justify the design. I guess I need some understanding of the complexity and scailiabiltiy of the VPLS/MPLS design versus the scailability and complexity of the MPLS/iBGP/VRF design.