09-25-2020 10:51 AM - edited 09-25-2020 10:53 AM
Hi all,
I have some questions regarding MPLS (which might be wrong or illogical in fact!), especially how the MPLS cloud actually works. Here they are:
1. My company has its Data Centre (DC) at Mumbai and we use MPLS for connecting the branch offices. Does the traffic from remote locations such as Delhi or Kolkata flow to the DC through something called 'MPLS over internet' or do the ISPs which maintain the MPLS cloud have any special means to connect the various provider routers across the country, separate from the internet?
2. I used to hear a lot about "clear crypto session" whenever there is a network failure. What exactly does "clear crypto session do"? Is it a feature of IPSec or MPLS?
Thanks in advance..
Jewed
Solved! Go to Solution.
09-26-2020 12:09 AM
1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?
2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".
09-26-2020 12:41 AM
1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?
BB - this we do not have information, how the provider will breakout., it all depends on provider and this question need to ask to your provider.
In general, MPLS providers offer internet too. ( maybe the same link or may be other link depends on the requirement).
2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".
09-26-2020 12:54 AM
"Clear crypto" is done by our network team at head office, when we inform them that we are not getting connected to network. We at our branch office are not doing it bcos we dont have router access or 'enable' password.
My question is, what does this "clear crypto session" do? is it a feature of IPSec Tunnel only?
09-26-2020 01:19 AM
clear crypto sa-This command deletes the active IPSec security associations between your branch office and head office create a fresh tunnel session, that is where you able to communicate with your HQ normally.
you can explore for your knowledge here, well documented to understand IPSEC
09-26-2020 07:39 AM
#1 No, generally you don't do MPLS over Internet, but the Internet might be running over MPLS. If fact, I suspect your WAN provider is really providing your company a L3 VPN over MPLS, i.e. your devices connecting to the "MPLS" probably aren't doing actual MPLS.
#2 Interesting! Why? I've done a bit of VPN, using IPSec, over the Internet, and routinely didn't need to clear crypto sessions. What the command does, as already noted by Balaji, is reset the crypto session(s). Effectively, it's starting over. Also it's related to IPSec, not MPLS.
BTW, MPLS is somewhat like L2 VLANs, in that a "tag" is attached to the frame/packet so that it may be forwarded, using switching techniques (fix length matching) rather than routing techniques (variable length matching). It was originally designed to provide a way to "speed up" forwarding of L3 traffic. With current hardware, the improvement isn't nearly as great as it once was. However, because of the tag(s) (you can have multiple on a frame/packet), other interesting things can be done. For example, somewhat like, for L2 VLANs, Q-in-Q, but there's much more that can be done with MPLS.
09-25-2020 11:51 AM
1. MPLS Pure Service provider network.( how they run depends on their topology and depends on network provider).
2. clear crypto session - you do this task or provider do here this task? - if you doing you have IPSEC VPN with your branch office?
09-26-2020 12:09 AM
1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?
2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".
09-26-2020 12:41 AM
1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?
BB - this we do not have information, how the provider will breakout., it all depends on provider and this question need to ask to your provider.
In general, MPLS providers offer internet too. ( maybe the same link or may be other link depends on the requirement).
2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".
09-26-2020 12:54 AM
"Clear crypto" is done by our network team at head office, when we inform them that we are not getting connected to network. We at our branch office are not doing it bcos we dont have router access or 'enable' password.
My question is, what does this "clear crypto session" do? is it a feature of IPSec Tunnel only?
09-26-2020 01:19 AM
clear crypto sa-This command deletes the active IPSec security associations between your branch office and head office create a fresh tunnel session, that is where you able to communicate with your HQ normally.
you can explore for your knowledge here, well documented to understand IPSEC
09-26-2020 07:39 AM
#1 No, generally you don't do MPLS over Internet, but the Internet might be running over MPLS. If fact, I suspect your WAN provider is really providing your company a L3 VPN over MPLS, i.e. your devices connecting to the "MPLS" probably aren't doing actual MPLS.
#2 Interesting! Why? I've done a bit of VPN, using IPSec, over the Internet, and routinely didn't need to clear crypto sessions. What the command does, as already noted by Balaji, is reset the crypto session(s). Effectively, it's starting over. Also it's related to IPSec, not MPLS.
BTW, MPLS is somewhat like L2 VLANs, in that a "tag" is attached to the frame/packet so that it may be forwarded, using switching techniques (fix length matching) rather than routing techniques (variable length matching). It was originally designed to provide a way to "speed up" forwarding of L3 traffic. With current hardware, the improvement isn't nearly as great as it once was. However, because of the tag(s) (you can have multiple on a frame/packet), other interesting things can be done. For example, somewhat like, for L2 VLANs, Q-in-Q, but there's much more that can be done with MPLS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide