cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
20
Helpful
6
Replies
Highlighted

Does MPLS route traffic over internet?

Hi all,

I have some questions regarding MPLS (which might be wrong or illogical in fact!), especially how the MPLS cloud actually works. Here they are:

1. My company has its Data Centre (DC) at Mumbai and we use MPLS for connecting the branch offices. Does the traffic from remote locations such as Delhi or Kolkata flow to the DC through something called 'MPLS over internet' or do the ISPs which maintain the MPLS cloud  have any special means to connect the various provider routers across the country, separate from the internet?

2. I used to hear a lot about "clear crypto session" whenever there is a network failure. What exactly does "clear crypto session do"? Is it a feature of IPSec or MPLS?

 

Thanks in advance..

Jewed

5 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?

2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".

View solution in original post

Highlighted
VIP Expert

1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?

 

BB - this we do not have information, how the provider will breakout., it all depends on provider and this question need to ask to your provider.

In general, MPLS providers offer internet too. ( maybe the same link or may be other link depends on the requirement).

 

2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".

BB - you have not answered my original post, who do this task? clear crypto? ( are you doing personally at branch level or head office, or from a provider ?) - if you or your head office doing then you running VPN tunnel over MPLS, this looks some config issue for me. we can not confirm due to no visibility of your setup how they connected and configured.  ( you need to ask HQ admin and see what you get an answer ?)
 


BB


*** Rate All Helpful Responses ***

View solution in original post

Highlighted

"Clear crypto" is done by our network team at head office, when we inform them that we are not getting connected to network. We at our branch office are not doing it bcos we dont have router access or 'enable' password.

My question is, what does this "clear crypto session" do? is it a feature of IPSec Tunnel only?

View solution in original post

Highlighted
VIP Expert

clear crypto sa-This command deletes the active IPSec security associations between your branch office and head office create a fresh tunnel session, that is where you able to communicate with your HQ normally.

 

you can explore for your knowledge here, well documented to understand IPSEC

 

https://community.cisco.com/t5/security-documents/how-to-clear-isakmp-and-ipsec-sas-on-pix-firewalls-and-routers/ta-p/3126911

 



BB


*** Rate All Helpful Responses ***

View solution in original post

Highlighted
Hall of Fame Expert

#1 No, generally you don't do MPLS over Internet, but the Internet might be running over MPLS.  If fact, I suspect your WAN provider is really providing your company a L3 VPN over MPLS, i.e. your devices connecting to the "MPLS" probably aren't doing actual MPLS.

#2 Interesting!  Why?  I've done a bit of VPN, using IPSec, over the Internet, and routinely didn't need to clear crypto sessions.  What the command does, as already noted by Balaji, is reset the crypto session(s).  Effectively, it's starting over.  Also it's related to IPSec, not MPLS.

BTW, MPLS is somewhat like L2 VLANs, in that a "tag" is attached to the frame/packet so that it may be forwarded, using switching techniques (fix length matching) rather than routing techniques (variable length matching).  It was originally designed to provide a way to "speed up" forwarding of L3 traffic.  With current hardware, the improvement isn't nearly as great as it once was.  However, because of the tag(s) (you can have multiple on a frame/packet), other interesting things can be done.  For example, somewhat like, for L2 VLANs, Q-in-Q, but there's much more that can be done with MPLS.

View solution in original post

6 REPLIES 6
Highlighted
VIP Expert

1. MPLS Pure Service provider network.( how they run depends on their topology and depends on network provider).

 

2. clear crypto session  - you do this task or provider do here this task? - if you doing you have IPSEC VPN with your branch office?

 



BB


*** Rate All Helpful Responses ***

Highlighted

1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?

2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".

View solution in original post

Highlighted
VIP Expert

1. Do you mean to say that ISPs route internet and MPLS traffic separately? For example, if we use MPLS of a particular ISP then how is traffic sent to the DC from remote locations such as Delhi?

 

BB - this we do not have information, how the provider will breakout., it all depends on provider and this question need to ask to your provider.

In general, MPLS providers offer internet too. ( maybe the same link or may be other link depends on the requirement).

 

2. I'm not sure if we use IPSec VPN as I'm working in a branch office, but often hear the term "clear crypto session" whenever there is a network failure. We contact the network team for "clear crypto".

BB - you have not answered my original post, who do this task? clear crypto? ( are you doing personally at branch level or head office, or from a provider ?) - if you or your head office doing then you running VPN tunnel over MPLS, this looks some config issue for me. we can not confirm due to no visibility of your setup how they connected and configured.  ( you need to ask HQ admin and see what you get an answer ?)
 


BB


*** Rate All Helpful Responses ***

View solution in original post

Highlighted

"Clear crypto" is done by our network team at head office, when we inform them that we are not getting connected to network. We at our branch office are not doing it bcos we dont have router access or 'enable' password.

My question is, what does this "clear crypto session" do? is it a feature of IPSec Tunnel only?

View solution in original post

Highlighted
VIP Expert

clear crypto sa-This command deletes the active IPSec security associations between your branch office and head office create a fresh tunnel session, that is where you able to communicate with your HQ normally.

 

you can explore for your knowledge here, well documented to understand IPSEC

 

https://community.cisco.com/t5/security-documents/how-to-clear-isakmp-and-ipsec-sas-on-pix-firewalls-and-routers/ta-p/3126911

 



BB


*** Rate All Helpful Responses ***

View solution in original post

Highlighted
Hall of Fame Expert

#1 No, generally you don't do MPLS over Internet, but the Internet might be running over MPLS.  If fact, I suspect your WAN provider is really providing your company a L3 VPN over MPLS, i.e. your devices connecting to the "MPLS" probably aren't doing actual MPLS.

#2 Interesting!  Why?  I've done a bit of VPN, using IPSec, over the Internet, and routinely didn't need to clear crypto sessions.  What the command does, as already noted by Balaji, is reset the crypto session(s).  Effectively, it's starting over.  Also it's related to IPSec, not MPLS.

BTW, MPLS is somewhat like L2 VLANs, in that a "tag" is attached to the frame/packet so that it may be forwarded, using switching techniques (fix length matching) rather than routing techniques (variable length matching).  It was originally designed to provide a way to "speed up" forwarding of L3 traffic.  With current hardware, the improvement isn't nearly as great as it once was.  However, because of the tag(s) (you can have multiple on a frame/packet), other interesting things can be done.  For example, somewhat like, for L2 VLANs, Q-in-Q, but there's much more that can be done with MPLS.

View solution in original post

Content for Community-Ad